Another MyBlogLog exploit?

This didn’t make much sense, so I put it through my “DaveN English into American English” decoder ring, and it came out as “In MyBlogLog (MBL), it’s too easy to take ownership of unclaimed blogs.” Read this article on Google Tutor for a better explanation.

My reaction? Meh. Cause the joke is on you, Google Tutor. When you claimed authorship of my blog community on MyBlogLog, it wasn’t me who owned it in the first place. Someone else signed up and claimed to be me, so this 100+ person community isn’t mine! πŸ™‚ That’s right, you just claimed a community that someone else faked. Who’s laughing now, eh? πŸ™‚

Truthfully, this doesn’t bother me that much. MyBlogLog was clearly shooting to get big quickly, so it seems like they skimped on some of the authentication stuff in order to be lighter weight and get more sign-ups quickly. Technorati, Yahoo’s Site Explorer and the Google webmaster console make you do more work to sign up (by adding a few bits on your blog or site), but the result is that you can trust the authentication more. So it was a design choice on MyBlogLog’s part to go for easy sign-up traction and less authentication. And it worked, because Yahoo bought them. I don’t begrudge MBL that. But I also wouldn’t use the same password on MBL as I would on my bank site. πŸ™‚

P.S. I can’t do a post on MyBlogLog holes without mentioning Shoemoney’s from a few weeks ago.

30 Responses to Another MyBlogLog exploit? (Leave a comment)

  1. It wouldn’t hurt for the Googles, Yahoo!s, Technoratis and other big content aggregators on the Web to agree on an authentication standard so we don’t have to clutter our hard drives and files with meta-mash just to prove who we are to every service that comes along.

  2. looks like web2.0 companys don’t need to bother with a lot of the things that real programmers do properly πŸ™‚

    This has givenme an idea though – too good to wast on a comment though

  3. Even with its flaws, it is still more valuable to have than to NOT have – and that really is the bottom line.

    Millions of people are enjoying this awesome free service – DESPITE its flaws – and are glad that the few rotten apples will not ruin it for everyone.

    People have faith that MyBlogLog will tweak their security, like vitually every popular service (MySpace and Digg included)

    But the real shame belongs to the ungrateful few that have nothing better to do than try to mess up good thing for everyone – they are the ones who really deserve a public hanging so to speak. 😐

    Dear Lord, how do these people LIVE with their Conscious??…HOW???

  4. Dave (Original)

    Only 2 more blogs Matt and the “A quick word about cloaking” blog will be outa-sight-outa-mind πŸ™‚

  5. Very OT – sorry.

    Matt we spoke at SES in London. I also spoke to Dan Crowe who mentioned that redirecting ccTLDs onto .com sites would retain rank in country filtered
    searches for those ccTLDs. He said he would confirm this and respond to me via email. I am still awaiting his response. Would you mind forwarding him a gentle reminder πŸ™‚

    Many thanks in advance,
    And sorry for breaking the golden rule.

    Rgds
    Richard

  6. I dont think it’s an exploit , they just want more people , and by making the “add of code” an obligtation to webmasters … a lot would not do it .

  7. Joe

    Matt I have been looking for a post on spam and Google for sometime now and there seems to be a lack of that.

    I have reported a site that is using very small text stuffed in the footer etc for over a month now and it is getting better and better in the serps and the junk is on every page.

    I assume this is something that will soon get crazy again as I see the reports are not being looked into and the sites continue to be rewardered by this behavior.

  8. Hey Matt,

    I’m still laughing! You are not giving me enough credit, I called the Matt blog I claimed as a poser in the original post! I do wish it was yours though πŸ˜‰

    I don’t see this as all that big a deal either really, but they need to clamp down on this stuff soon. If I can find a hole anyone can…you know like someone that writes very popular but difficult to read blog posts? Heh.

    -The Tutor

  9. I don’t get the whole goofy faces looking out from the sidebar thing.

  10. Hey Matt,

    I replied in the comments earlier, where it go? Anyway, I followed up over here now:

    http://www.googletutor.com/2007/03/13/matt-cutts-replies-about-his-fake-mybloglog-account/

    Last laugh is on you! πŸ˜‰

  11. Heh. You’d better watch out Matt – you might get your evil MBL doppelgΓ€nger banned for posting MyBlogLog hax. πŸ˜‰

  12. You mean there is a super-secret DaveN decoder ring? I should send those to all the people who ping me asking “What on earth is DaveN saying?” πŸ˜‰

  13. Jenstar, yup, there are only a few of them. I’ll loan you mine before Seodays starts so that the audience can understand him. The secret is that DaveN skips every third word when he talks, and then substitutes “yeah?” half of the time for the skipped words. πŸ˜‰

  14. phantombookman

    The secret is that DaveN skips every third word when he talks

    I can’t imagine what words he might utter when he sees you’ve linked to him Matt πŸ™‚

  15. Dax

    My decoder ring says he substitutes “yer?”, Matt.

    Mine’s a UK model though.

  16. Matt — you hit the nail on the head; it’s lighter weight for our users to sign up without having to verify that they own the blog. However, we’ve known that certain practices that work early on will not work as we get bigger, so we’re talking about setting up an optional verification process. The big challenge is really how to allow someone to take over an unverified blog and gracefully communicate to all parties what has transpired. Cheers!

  17. Dax – I looked in my PO box and found a signed, gray covered Edgar N Vective book in there, thanks man you got some imagination. Two thumbs up!

  18. Dabo

    That Googletutor site seems to be down… hmm, i wonder why.

  19. >> I don’t get the whole goofy faces looking out from the sidebar thing.

    That’s exactly what makes MBL half as appealing as it is. Instead of the cheap words and outrageous claims that accompany most of those underlined blue words around the web, MBL appears to attach a face to a site (read: credibility).

    Of course, that’s undermined to some degree by all the idiots who put pics of hot models and porn stars on their profile instead of their own.

    But overall, I enjoy clicking on faces.

  20. I don’t know when will those people will make MyBlogLog a perfect system.

  21. Nicky

    Aaron Pratt Said,

    I don’t get the whole goofy faces looking out from the sidebar thing

    Are you saying my face is goofy?? Cheeky monkey! :p.

  22. I do not see a big future for mybloglog, it was a like a new toy for bloggers, we have played enough with it.

    The biggest concern is privacy, mybloglog and google both have one issue, privacy, google keeps it to itself, mybloglog shows it to the world. I had made few simple tools to check these manipulation some months back.

    I am working on a bigger thing for consolidating daily blog knowledge, i wish I could write more about it, keep watching my blog :).

  23. LMAO Matt, where did you get your β€œDaveN English into American English” decoder ring? I could’ve definitely used one of those decoder rings with a beer accent adjustment knob in Chicago when Dave was slurring away inches in front of me.

  24. Hey, meanwhile, there are e-mail spammers in the world generating bizarro-world subject lines in homage to you!

    From my e-mail today:

    03/15/07 03:53 pm Sophia Vasquez For those of you who don’t know, Matt is a Google guy guru, he is employed by Google but writes an independent blog and shares information related to Google and search engine optimization. 23KB

  25. Hi Matt thanks for this post
    Well i found just one more critical email exposure on there site you can read all about it on my blog: http://www.mywebseo.com/mbl_email_exploit/

  26. vivekkedia

    Hi,
    No posts for last 3 days !!! seems either u are too busy with work or took a small holiday

  27. IncrediBILL, they’re quite rare and expensive, because they have to store “yeah” and “yer” in DaveN and be able to translate that into 15,000 phrases. πŸ˜‰

    vivekkedia, I was taking care of some stuff at work. I just posted basically all day today though. And now I’m going to get out and actually get some exercise. Duke lost in the first round of the NCAA, so I’m going to go shoot some hoops to commemorate the occasion. πŸ™‚

  28. vivekkedia

    Aaah well, Matt I am from India and have little knowledge about Duke, NCAA though i surely know that India is not doing well in the currently on Cricket World Cup http://en.wikipedia.org/wiki/2007_Cricket_World_Cup πŸ™ Matt, u know what the cricket fans in India are so paranoid that they are attacking homes of the loosing players back in India πŸ™

  29. Matt does that mean it is ok to link to hacking information?

    Did you know the previous owner of this community before Google Tutor was a big fan of Shoemoney? It could actually have looked like a social network doorway page, if such a concept exists.

    What was your opinion about the FUD regarding MBL tracking Adsense being a problem, as I have seen reports from at least one peson that the Adsense team are ok with it, though there seems to be a sitaution that MBL is detecting more clicks than are being reported in the Adsense backend.

    Would you also link to a site discussing ways to mess around with Adsense?

    Considering Googles resources you could make things a little tighter, such as unique pub IDs generated per domain.

  30. Ben

    I must agree with Andy. Even big companies like Google have security issues (google “google account hijacking” for an example). And guess what Google asked to the bug hunters last time an exploit was disclosed ? “Please contact us immediatly when you find a vulnerability, don’t publish it on the web before we fix it”. Isn’t that ironic?

css.php