Pyra Labs has patched a number of security holes in its
Blogger Web-based publishing tool this week which, if undetected,
could have enabled a hacker to publish thoughts on web logs owned
by others.
The holes were discovered by celebrated hacker Adrian Lamo, who
reported them to Pyra, according to a statement on the Blogger Web
site,
http://status.blogger.com.
Search engine company Google acquired Pyra in February for an
undisclosed amount.
Three or four different vulnerabilities were discovered and
reported to Pyra in January, Lamo said in an interview on
Friday.
At least one of the vulnerabilities could have enabled a hacker
to circumvent a process that prevented new users of Pyra's BlogSpot
Web log hosting site from using a web log address of an existing
user, a report published on Symantec SecurityFocus website.
By changing a hidden field in the user's web browser to contain
the address of an existing web log, an attacker could replace that
web log with his or her own musings.
Lamo likened the process to reassigning an Internet domain name
to a different IP address.
Another security hole discovered by Lamo would have allowed
hackers to add themselves to the list of those authorised to
maintain a Web log, according to SecurityFocus.
The vulnerabilities affected the Web-based publishing tools that
allow Blogger users to update their Web logs and could have been
leveraged against Web logs hosted on Pyra's BlogSpot site or on
domains maintained by the Web log's owner, Lamo said.
Given the growing popularity of web logs hosted by journalists,
celebrities and pundits in recent years, the Blogger security holes
take on new weight, creating the possibility that hackers could
supplant the opinions of well-known personalities and
opinion-makers with their own.
Pyra said the problems reported by Lamo had been resolved, and
praised him for reporting the problems to them before they were
publicised.
A review of the Blogger logs indicated that none of the problems
reported by Lamo were exploited before being patched, Pyra
said.
The vulnerabilities in Pyra's Blogger products were not unique
to the company, which has "generally sound" technology and took a
number of steps to prevent web logs from being hijacked, Lamo
said.
Rather, the problem is common to many online services that
require users to enter data in a number of different stages, for
example, when creating or modifying account information, he
said.
While checks to validate unique information like an e-mail
address or log-in name may be performed at step one, they are
rarely rechecked later in the registration process. That design
flaw could enable hackers or even savvy users to modify cached
account information and, effectively, hijack existing accounts.
In addition to web logs, similar vulnerabilities might be used
to take over online property such as logins at major internet
service providers, Lamo said.
"It's something I've seen more times than I can count. Hidden
form fields are just one example. It's a common problem in the way
people think when they are designing complex systems."