May 12, 2004
Blogrolling's big security issue
UPDATE:
- Blogrolling has announced that the issue is resolved.
- I had informed the Blogrolling.com support system about the issue at 5/12/2004 5:11 AM. So please do not accuse me of being unethical. By the way, I'm sure hadn't the issue gone public, they'd never taken it seriousely. This is exactly why media are cricial and powerful. But I do admit that I could be a little less specefic about what exactly the problem is.
------
God, what a mess.
Just log on to your BlogRolling account, then find someone elses Blogroll id by looking at their page source, and then use that id with the edit_roll.phtml script on blogrolling.com, and there you go. You can edit, delete, add or anything you want to that poor blogroll. And look who is vulnarable (only some of them).
Do the guys at Tucows know this stupid security hole?
Thanks to an Iranian blogger for the tip and for being a nice person by not deleteing my links.
If you don't believe me, logon to your Blogrolling account and click here. You can do whataever you want to Blogs for Bush. (Let's add John Kerry's blog to it.)
I also recommend you to take a backup from all your blogrolls right now until they fix this.
Posted by hoder at May 12, 2004 12:23 AMComments
And this is my homepage.
- By: Carl Ross on August 2, 2004
- By: Carl Ross on August 2, 2004
---------
to start behaving in a different cigars way. I would like to walk up to cigars all these strangers and offer to green card switch headphone jacks for a minute green card lottery or two, the idea being that each accept credit card
- By: Usa Visa on July 26, 2004
- By: Usa Visa on July 26, 2004
---------
ideas about consumerist landscapes and casino the "transcendental boredom" they invoke online dating (Ballard himself appears in the film) incubus to conspiracy theories and the omnipresence simpsons of camera surveillance on and around the pichunter motorway. (The single most compelling staple sequence of the film for me was some apparently linux authentic footage from a motion-sensitive animation
- By: babe on July 15, 2004
- By: babe on July 15, 2004
---------
it was actually continuous footage, but how could web hosting you tell? This footage in turn was often reduced department store to one side of a split screen, the other showing toy scenes of one of the M25's real or symbolic tributaries, shopping which in Sinclair's conjuror's mind range from software Bram Stoker's Dracula (Dracula's English pied ? dvd terre is located close to the present-day motorway) irs to Ballardian ideas about consumerist landscapes cartoon network
- By: microsoft on July 2, 2004
- By: microsoft on July 2, 2004
---------
Salam dear hossein , I take photos in iraq
I would be happy if you see it and may be link .
http://baghdad-pictures.blogspot.com/
- By: asmar ahmad on May 15, 2004
- By: asmar ahmad on May 15, 2004
---------
""lol"" dude, what have you been drinking? I was laughing my ass off reading your comment on that blogrolling issue.
Please do educate us more. I'm so anxious to read your next topic...
- By: Arsiss on May 13, 2004
- By: Arsiss on May 13, 2004
---------
Don't mind the conservative whiners. I think you did fine.
- By: Eric on May 13, 2004
- By: Eric on May 13, 2004
---------
"I had informed the Blogrolling.com support system about the issue at 5/12/2004 5:11 AM. So please do not accuse me of being unethical." Wow - your restraint is amazing. Let me guess - you alerted Tucows, quickly beat off from excitement, and then posted the hack on your miserable little blog, sperm still stuck to your fingers. Or did I get the order wrong? Yeah, you're not unethical. You're just rank in biggest asswipe in Toronto today. Take that, bitch.
*lol* Don't take him seriously, he was just horney when he wrote that. ^_^
- By: Hi on May 13, 2004
- By: Hi on May 13, 2004
---------
Rogers T, my right-to-left bingo bango is better than your left-to-right bango bingo.
- By: Rogers Water on May 13, 2004
- By: Rogers Water on May 13, 2004
---------
While it's true that he should have given blogroll more time, but true guilty party is blogroll/twocows. This is such a basic security error that they should have cought it on their own much earlier.
- By: joe on May 13, 2004
- By: joe on May 13, 2004
---------
Someone translated what you have written in persian in your fucking persian blgo: you proud of that, eh? think just you understand your right-to-left bingo bango and the others are just fools? shame on you. keep off the ienternet and get some ethics courses. I just wonder how University of Toronto has admitted you such a stupid guy.
- By: Rogers. T on May 13, 2004
- By: Rogers. T on May 13, 2004
---------
Why does everyone blame Hossin for making this issue public?
That was a ridiculous mistake! Blogrolling is responsible for obtaining minimum of security for its users. Shame on them.
- By: Hex on May 13, 2004
- By: Hex on May 13, 2004
---------
Typical, you are into messing around with right wingers' blogs, you should feel ashamed of yourself for encouraging people to do this.
- By: no on May 13, 2004
- By: no on May 13, 2004
---------
"I had informed the Blogrolling.com support system about the issue at 5/12/2004 5:11 AM. So please do not accuse me of being unethical."
Wow - your restraint is amazing.
Let me guess - you alerted Tucows, quickly beat off from excitement, and then posted the hack on your miserable little blog, sperm still stuck to your fingers. Or did I get the order wrong?
Yeah, you're not unethical. You're just rank in biggest asswipe in Toronto today. Take that, bitch.
- By: The letters F and U on May 12, 2004
- By: The letters F and U on May 12, 2004
---------
For a good idea of responsible disclosure, take a look at http://www.wiretrip.net/rfp/policy.html
Had this been followed, Tucows would have been given the chance to fix the problem and if they hadn't, you would have been able to tell the world. Regardless of your position on vulnerability disclosure, it is irresponsible to suggest the use of a vulnerability toward specific groups.
- By: Chris Scott on May 12, 2004
- By: Chris Scott on May 12, 2004
---------
Nice blog. My heart and prayers go out to the Iranians under tyranny in Iran.
So why would you be a liberal? Democrats have done nothing for you and your country.
Anyway, thanks for bringing the blogroll exploit to everyone's notice before it was fixed. Very responsible of you.
- By: Liberals are Impudent on May 12, 2004
- By: Liberals are Impudent on May 12, 2004
---------
By the way, I'm sure hadn't the issue gone public, they'd never taken it seriousely. This is exactly why media are cricial and powerful.
Wow. You just broke my Asshat-o-meter.
- By: Nobody on May 12, 2004
- By: Nobody on May 12, 2004
---------
From the blogrolling.com news blog:
===
This morning at roughly 9:05am EST, Brent Ashley brought a security vulnerability to our attention. The issue was escalated to our on call developer who crafted a hot-patch and fixed the problem by roughly 9:54am EST.
===
The right thing to do in such a situation is to notify us and give us a chance to fix the bug. If you ever find a security flaw in any Tucows product, you can drop me a line at jdevilla@tucows.com. It's part of my job to handle things like this. I'll make sure the appropriate alarms are sounded, action is taken and even pull strings to make sure that we send you some kind of gift of gratitude.
The wrong thing to do is to point out the flaw to the world, tell people how to exploit it and even make creative suggestions. That's just anti-community behaviour.
Joey deVilla
Technical Community Development Coordinator
Tucows, Inc.
- By: Joey deVilla on May 12, 2004
- By: Joey deVilla on May 12, 2004
---------
Dear Hosein, Hi,
I just received an e-mail from the blogrolling staff mentioning the the problem has been solved as of this morning!
Cheers
Alius
- By: Alius Maximus on May 12, 2004
- By: Alius Maximus on May 12, 2004
---------
Dude, I wanted to say that you are a MORON but I can see that Jason got here first - but I'll say that anyway.
- By: Vlad J. on May 12, 2004
- By: Vlad J. on May 12, 2004
---------
Further evidence of moral confusion: recommending the defacement of someone else's page while applauding his own good fortune.
Just a tip to Hoder's thousands of blogchildren: please do not emulate this latest example.
- By: Ali on May 12, 2004
- By: Ali on May 12, 2004
---------
You're an asshole. Just thought I'd disclose that since you're so hot on disclosure.
- By: Jason D- on May 12, 2004
- By: Jason D- on May 12, 2004
---------
Yah - thanks for the heads-up. I'm sure the thousands of users whose data you've risked by posting this to your weblog really appreciate the fact that you've scooped everyone else instead of letting us know there is a problem.
- By: Ross Wm. Rader on May 12, 2004
- By: Ross Wm. Rader on May 12, 2004
---------
"Do the guys at Tucows know this stupid security hole?"
I don't know - did you make any attempt to notify them before blabbing in public about their vulnerability? They just recently acquired Blogrolling so I'm sure they're learning as much about it as they can.
- By: Brent Ashley on May 12, 2004
- By: Brent Ashley on May 12, 2004
---------
Don't you think, people will poke on others account after knowing all these from your post. It would be better if you didn't disclose the procedure to enter others account.
- By: Rifatq on May 12, 2004
- By: Rifatq on May 12, 2004
---------
Post a comment
Note:
* Required
The following HTML tags are allowed in your comments: <a> <b> <i>. To make line and paragraph breaks, press return (don't use <br> or <p>).
The bold, italics, and link buttons (and associated shortcut keys) only work in IE 5+ on the PC.