Pyra Labs has patched a number of security holes in its Blogger Web-based publishing tool this week which, if undetected,...
could have enabled a hacker to publish thoughts on web logs owned by others.
The holes were discovered by celebrated hacker Adrian Lamo, who reported them to Pyra, according to a statement on the Blogger Web site, http://status.blogger.com. Search engine company Google acquired Pyra in February for an undisclosed amount.
Three or four different vulnerabilities were discovered and reported to Pyra in January, Lamo said in an interview on Friday.
At least one of the vulnerabilities could have enabled a hacker to circumvent a process that prevented new users of Pyra's BlogSpot Web log hosting site from using a web log address of an existing user, a report published on Symantec SecurityFocus website.
By changing a hidden field in the user's web browser to contain the address of an existing web log, an attacker could replace that web log with his or her own musings.
Lamo likened the process to reassigning an Internet domain name to a different IP address.
Another security hole discovered by Lamo would have allowed hackers to add themselves to the list of those authorised to maintain a Web log, according to SecurityFocus.
The vulnerabilities affected the Web-based publishing tools that allow Blogger users to update their Web logs and could have been leveraged against Web logs hosted on Pyra's BlogSpot site or on domains maintained by the Web log's owner, Lamo said.
Given the growing popularity of web logs hosted by journalists, celebrities and pundits in recent years, the Blogger security holes take on new weight, creating the possibility that hackers could supplant the opinions of well-known personalities and opinion-makers with their own.
Pyra said the problems reported by Lamo had been resolved, and praised him for reporting the problems to them before they were publicised.
A review of the Blogger logs indicated that none of the problems reported by Lamo were exploited before being patched, Pyra said.
The vulnerabilities in Pyra's Blogger products were not unique to the company, which has "generally sound" technology and took a number of steps to prevent web logs from being hijacked, Lamo said.
Rather, the problem is common to many online services that require users to enter data in a number of different stages, for example, when creating or modifying account information, he said.
While checks to validate unique information like an e-mail address or log-in name may be performed at step one, they are rarely rechecked later in the registration process. That design flaw could enable hackers or even savvy users to modify cached account information and, effectively, hijack existing accounts.
In addition to web logs, similar vulnerabilities might be used to take over online property such as logins at major internet service providers, Lamo said.
"It's something I've seen more times than I can count. Hidden form fields are just one example. It's a common problem in the way people think when they are designing complex systems."