25 April 2005

Shoutboxes and Recent Comments are Security Hole?

Posted under: at 21:43

There are a few sites that requires you to claim your own weblog. In order to prove the fact that you are the legitimate owner of the blog in question, they require you to put a specific HTML link back to their web site. These links often will contain a random authorization string (cookie) or simply a link back to your profile on their website.

For example, Technorati allows you to register for your own Technorati profile. After registering, you need to claim your blog by putting a specific URL in your blog. After the next run of spidering, Technorati will add the blog to your profile and finally you will be able to put your photograph next to your entries in Technorati’s search results.

Another example, Blogshares –a fantasy stock exchange for blogs– will automatically make any discovered blogs available for trading. However, the owner of every blog has special privileges with regard to their own blogs. Before the owner can do this, first he/she must claim their blog by putting the ‘Listed in Blogshares’ icon pointing to the blog’s profile in Blogshares. Finally, the owner will be able to do owner specific action, such as issuing more shares and LBO. In addition, the owner will receive an additional 1000 shares of their own blog.

The claiming process is supposed to be doable only by the owner of blog in question. Normally, only the owner of the blog will be able to insert an arbitrary link to the blog’s frontpage or sidebar. However, there are a few cases where visitors of the blog will be able to insert arbitrary links to the front page:

  • Shoutboxes. These are small boxes used for a quick chat with the owner of the blog or another visitor. A random visitor will be able to insert text in the shoutbox. Some shoutbox automatically convert any URL into a hyperlink. This potentially can be used by a rogue visitor to claim your own blog. Fortunately, almost all shoutboxes are implemented using Javascript and thus invisible to practically every web spider.

  • Recent comments in sidebar. Another common practice is putting the list of recent comments in the sidebar. This can be potentially exploited by random visitors in order to put an arbitrary link in the front page, and thus, claiming your own blog.

Of course, not every blog with shoutboxes and/or recent comments are susceptible to this exploit. And not every blog without shoutboxes and/or recent comments are safe from these problem, either.

If you are in doubt, you can try posing as a random visitor and try making arbitrary links in your blog’s frontpage. If you can’t do that, your blog is probably safe.

30 Responses

Trackback: Use this URI to trackback this entry. Use your web browser's function to copy it to your blog posting.

Comment RSS: You can track conversation in this page by using this page's Comments RSS (XML)

Gravatar: You can have a picture next to each of your comments by getting a Gravatar.

Leave a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Warning: Comments carrying links to questionable sites will be removed!