Security Flaws Found in Google's Blogger

Pyra Labs patched a number of security holes in its Blogger Web-based publishing tool this week that could have enabled a hacker to publish thoughts on Web logs owned by others.

The holes were discovered by celebrated hacker Adrian Lamo, who reported them to Pyra, according to a statement on the Blogger Web site. Search engine company Google acquired Pyra in February for an undisclosed amount.

Three or four different vulnerabilities were discovered and reported to Pyra in January, Lamo said in an interview Friday.

Potential Problems

At least one of the vulnerabilities could have enabled a hacker to circumvent a process that prevented new users of Pyra's BlogSpot Web log hosting site from using the Web log address of an existing user, according to a report published on Symantec's SecurityFocus Web site.

By changing a hidden field in the user's Web browser to contain the address of an existing Web log, an attacker could replace that Web log with his or her own musings.

Lamo likened the process to reassigning an Internet domain name to a different Internet Protocol address.

Another security hole discovered by Lamo would have allowed hackers to add themselves to the list of those authorized to maintain a Web log, according to SecurityFocus.

The vulnerabilities affected the Web-based publishing tools that let Blogger users update their Web logs and could have been leveraged against Web logs hosted on Pyra's BlogSpot site or on domains maintained by the Web log's owner, Lamo said.

Growing Popularity

Given the growing popularity of Web logs hosted by journalists, celebrities, and pundits in recent years, the Blogger security holes take on new weight, creating the possibility that hackers could supplant the opinions of well-known personalities and opinion-makers with their own.

Pyra's acknowledgment said the problems reported by Lamo had been resolved.

"We have fixed the security issues and Blogger is better for it," the message read, in part.

Pyra also lavished praise on Lamo for reporting the problems to them before they were publicized, calling Lamo a "good guy hacker" and saying "Adrian rocks."

A review of the Blogger logs indicated that none of the problems reported by Lamo were exploited before being patched, Pyra said.

Common Problem?

The vulnerabilities in Pyra's Blogger products were not unique to the company, which has "generally sound" technology and took a number of steps to prevent Web logs from being hijacked, according to Lamo.

Rather, the problem is common to many online services that require users to enter data in a number of different stages, for example, when creating or modifying account information, he said.

While checks to validate unique information like an e-mail address or log-in name may be performed at step one, they are rarely rechecked later in the registration process. That design flaw could enable hackers or even savvy users to modify cached account information and effectively hijack existing accounts, according to Lamo.

In addition to Web logs, similar vulnerabilities might be used to take over online property such as log-ins at major Internet service providers, Lamo said.

"It's something I've seen more times than I can count. Hidden form fields are just one example. It's a common problem in the way people think when they are designing complex systems," Lamo concluded.