Skip to main content

MyBlogLog Spammers Can Trick Users Into Joining Any MyBlogLog Community

Update: MyBlogLog co-founder Eric Marcoullier just confirmed in the comments that this MyBlogLog hole is now fixed. So the hack described below may no longer work.

Techcrunch reader Michael Jensen previously demonstrated a simple browser trick to spam MyBlogLog widgets by auto-refreshing the browser every minute or so.

Now LoveDeep Wadhwa found another hack that makes to possible to trick innocent members of MyBlogLog into joining your communities on MyBlogLog in one click.

Here's a quick illustration of this new form of MyBlogLog spam using the DI community webpage as an example.

Open your MyBlogLog Community page and right click on the thumbnail image of your website.

MyBlogLog Hacks
Choose "Save Picture As" and a windows will appear asking you where to save the image on your hard drive.

We won't save the image but copy the file name that appears in the Save As dialog (the filename is something like 2005051600562336_sh.png)

Take just the numeric part of the filename (or the first 12 characters) and put them in the the following URL (replace FILE_NAME with the value above):
http://www.mybloglog.com/buzz/join_conf.php?ref_id=FILE_NAME
&ref_method=s&ref_er=www.mybloglog.com/buzz/community/FILE_NAME/
Now your spam URL is ready. Just add in your email signatures, Orkut scraps or leave it on the MyBlogLog member pages, the moment they click the above URL, they'll become a part of your community without confirmation.

The user clicking the URL must be logged into MyBlogLog. Here's a real example to test the above hack. [caution: it will add you to the DI community]

LoveDeep says that there must be a confirmation option after clicking the "Join This Community: button or it should be session based. Agree, a confirmation is must else the not-so-tech-savvy users may accidentally become part of MyBlogLog communities that they are not even aware of.