After reading a post on John Chow's blog mybloglog open to attacks I decided to take a moment and figure this hack out. This hack allows an unknown blogger to attach their blog to the owner of a very popular community.
It is very simple and points out a serious security problem with MyBlogLog's verification system.
Normally, in order to add a co-author to your blog the co-author has to approve you via an email link. One might think there would be a hidden security code in that link? Guess again!
In order to add anyone as a co-author of any blog all you need to know is two things:
1) The blog ID
2) The member ID
The first think you do is make a normal co-author request. Since you know they will never actually approve it you make up your own approval code instead.
Now, you just build an http request as such: http://www.mybloglog.com/buzz/add_author_conf.php?sid=[blog ID]&mid=[member ID]
That is it.
Pretty scary, no?
PS: Thankfully this hack does not work in reverse. You can not add yourself as a co-author of someone else's blog.
How does MyBlogLog fix this?
1) In the verification email include a decline option
2) Add a secret key to the add_author_conf.php function
The folks at MyBlogLog have fixed this security hole. To stop this hole from working they have changed the approval function to only work if the member being added as a co-author is the one logged in and following the link.