Shoutboxes and Recent Comments are Security Hole?

There are a few sites that requires you to claim your own weblog. In order to prove the fact that you are the legitimate owner of the blog in question, they require you to put a specific HTML link back to their web site. These links often will contain a random authorization string (*cookie*) or simply a link back to your profile on their website.

For example, [Technorati](http://www.technorati.com) allows you to register for your own Technorati profile. After registering, you need to claim your blog by putting a specific URL in your blog. After the next run of spidering, Technorati will add the blog to your profile and finally you will be able to put your photograph next to your entries in Technorati’s search results.

Another example, [Blogshares](http://www.blogshares.com) –a fantasy stock exchange for blogs– will automatically make any discovered blogs available for trading. However, the owner of every blog has special privileges with regard to their own blogs. Before the owner can do this, first he/she must claim their blog by putting the ‘Listed in Blogshares’ icon pointing to the blog’s profile in Blogshares. Finally, the owner will be able to do owner specific action, such as issuing more shares and LBO. In addition, the owner will receive an additional 1000 shares of their own blog.

The claiming process is supposed to be doable only by the owner of blog in question. Normally, only the owner of the blog will be able to insert an arbitrary link to the blog’s frontpage or sidebar. However, there are a few cases where visitors of the blog will be able to insert arbitrary links to the front page:

* Shoutboxes. These are small boxes used for a quick chat with the owner of the blog or another visitor. A random visitor will be able to insert text in the shoutbox. Some shoutbox automatically convert any URL into a hyperlink. This potentially can be used by a rogue visitor to claim your own blog. Fortunately, almost all shoutboxes are implemented using Javascript and thus invisible to practically every web spider.

* Recent comments in sidebar. Another common practice is putting the list of recent comments in the sidebar. This can be potentially exploited by random visitors in order to put an arbitrary link in the front page, and thus, claiming your own blog.

Of course, not every blog with shoutboxes and/or recent comments are susceptible to this exploit. And not every blog without shoutboxes and/or recent comments are safe from these problem, either.

If you are in doubt, you can try posing as a random visitor and try making arbitrary links in your blog’s frontpage. If you can’t do that, your blog is probably safe.

30 comments

  1. :-? jd ada yg malah bingung…
    Kan udah dibilangin diparagraf akhir:
    “If you are in doubt, you can try posing as a random visitor and try making arbitrary links in your blog’s frontpage. If you can’t do that, your blog is probably safe.”
    Bukannya kata kuncinya di “Some shoutbox automatically convert any URL into a hyperlink” ???
    Jadi coba aja dulu drpd gak masang sama sekali :x

  2. uhm.. permasalahannya, sampai saat ini aku masih belum mengerti, apa pentingnya meng-hack weblog saya. sumpah deh.
    hi Roy ™

  3. Mas pri atau sobat yang lain.. kasih panduan ttg Blogshares dong.. Msh bingung gw. :) Tadi baru register doang n nyari chip.. sisanya ngga tau deh mo ngapain hehehe.. :d

  4. #12.. mas pri.. koq gw pake Avant Browser ver 10.0 di detect-nya sbg IE 6.0 ? blom support ya ?
    Ini message ngga usah ditampilin yah.. :d bales per-japri aja kalo berkenan. makasih mas..

  5. betul, saya gak pernah terpikir sedikit pun masang shoutbox. oke. dulu sih pernah. tapi sekarang, kayaknya nggak deh. :)>-

  6. iya nih, aq juga punya keluhan juga, tapi gak dibrowser melainkan di lokasi..
    selalu aja ke detect dari United State, tuh khan
    *\ sambil ngeliat ke bawah */

    kira2 pengaruh apanya ya?
    sbg informasi udah di coba dari 2 ISP yang berbeda ( barangkali ada yang ngira karna faktor ISP )
    apanya donk?

  7. #17. Dari GeoIP aku dapet informasi
    * Some French AOL users appear to come from Great Britain or Germany due to the way that AOL routes their traffic through proxy servers. Other countries may appear to come from the US if AOL routes the traffic through US proxy servers.
    Jadi mungkin ini penyebabnya.

  8. #20: avant browser itu cuma IE shell, jadi identitasnya sama dengan IE

    #18 #19: saya gak pakai geoip, tapi pakai IP-to-country

  9. “If you are in doubt, you can try posing as a random visitor and try making arbitrary links in your blog’s frontpage. If you can’t do that, your blog is probably safe.”

    bisa di misal-in ga??
    maksudnya.. contoh links yang kira2 berbahaya tuh kayak gimana?..
    :D :D :D :D

  10. ooowww… spertinya aku mulay mengerti..
    thx.. tapi kalo shoutboxnya ga diapus gpp kali yah.. hehe.. byar seru :p
    kalo ada yang mo nge-klaim blog-ku.. ya sutra lah..

    keep cool ajah.. :)>-

Leave a Reply to Charly Silaban Cancel reply

Your email address will not be published. Required fields are marked *