blogger gets hacked
October 25, 2002
Blogger's completely back up, including bStats and the API. It seems (again, I don't work for Pyra, but I've had information confirmed by Ev) that the vulnerability was was really only severe during the hour or so that Blogger was running while hacked. During that time, it was possible, if you knew another user's login name, to use the "hacxoredbyme" password and post and publish with any other user's account.
It does not seem, at any time, that anyone, including the hacker, could read the server passwords in the system. In technical parlance, the intruder had "update" privileges on the system that stored less sensitive information like the public URL of the site, but no "select" privileges on any database, including the separate one that stores sensitive things like users' server login name and password.
In short, (s)he couldn't even read the database that was screwed up, let alone the other one that had sensitive data.
All of this is information that I'm not 100% positive is correct, but that I'm willing to stand behind as probably right. There are hacks that are so well-engineered that a visible hack like the one I reported on yesterday is all a diversion from some other activities that are masked by the part that gets attention. Neither the Pyra folks nor I (for what that's worth, I'm no expert on this part of it) think this intruder was that sophisticated.
Blogger is, now, at exactly the same security level it was two days ago, minus the vulnerability that caused this hack. Your sensitive information (by that, I don't mean things like your public URL) is no more or less vulnerable than it's always been. You can use your feelings about that to decide what information, if any, you should change regarding your server, and whether you want to use Blogger's feature that lets you store your password.
For all the Slashdot readers who were revelling at Blogger's misfortune because the blogger.com domain runs on Microsoft's IIS: the server database which was compromised was attacked through a known, but unpatched, vulnerability on the operating system on which it was running. That operating system is Red Hat Linux, proving once again that the keys to security are meticulous discipline in keeping updated on information, removing unnecessary services, and designing and launching applications with security in mind.
Finally, Ev told me that he intends to be more proactive in communicating with customers in the future. I think that's the best thing he can do to restore trust in his company and product.
Any of you who use Blogger will want to log in right now (if you can) and delete your server information and passwords. It looks like a hack is in progress that first switched many users' passwords or server information to "hacx0redbyme" or "hax0redbyme" and is now prohibiting lots of users from logging in. Tom pointed the problem out to me, and at that point it was mostly Pro users having problems, although it seems to be everyone now.
Update: Blogger's now offline, and the problem's being worked on.
I wanted to address some of the concerns people have brought up about its security. Some have suggested that this is an issue because of the design of Blogger's service, and that decentralization is the solution. I think we've seen that decentralization isn't necessarily a panacea. (Greymatter had a serious security hole; Installations of Outlook and Exchange are decentralized.) The greater issue is reliability and whether weblogging can get out of its mindset of being a hobby and an amateur effort.
Development right now is usually done like kids hacking on a project, where staying up all night and then flipping a switch where something goes live is considered acceptable practice. That's only ever going to result in insecurity over the long run. It's even more unacceptable when in charge of a database that probably has the world's largest collection of server logins.
That's not meant as a slight to anyone who builds blogging tools, as I was the first public user in the directory and used Blogger for years and was overall very happy with it. But, with the exception of Mena and Ben Trott's work on Movable Type, which has been informed by Ben's background in cryptography and other security practices, there hasn't been a seriousness about the responsibility of developing these applications as weblogs move to being a critical communication tool for people. This is one of the reasons that weblogs aren't generally taken seriously as business tools.
I recently mentioned, to someone less familiar with weblogs, that the process of writing a weblog with a tool as being similar using Hotmail, except you're sending your message to people whom you don't yet know. Unfortunate security parallels aside, one of the lessons of that parallel is that these are tools that people depend on, and they have to be developed and maintained with the seriousness that responsibility entails.
Blogger has been Hacked....see Plasticbag.org or Anil's The 2nd time in the past 12 months. dammit.....now I have to check Read More
Blogger has been hacked. Bill gives us the link to Anil's updates regarding the whole mess. Blogger users, you may Read More
Looks like www.blogger.com has been hacked. Not a problem if you've never used them, but people who either blog or started off blogging with blogger.com should be aware... Read More
Blogger.com was broken into today as first reported by Tom, tracked at Anil Dash and acknowledged at Status and EvHead. Mostly PRO users whose ftp passwords were stored on the servers were affected. Some of them found their passwords changed and were l... Read More
More proof that AOL Time Warner is Satan ... they are building a $483 million movie studio in China. As Read More
PSA for my friends using Blogger: Blogger has been hacked. Click the link to learn what to do. Read More
Well, in a fit of total irony, I find that as I began to write about the fact that Blogger Read More
Blogger got hacked yet again. Anil says "...I think that launching a commerical tool that has server access to remote Read More
anil dash - blogger hacked Durante una hora el hosting insignia de la armada blogger, estuvo comprometido por algun ni�o Read More
You might have noticed today that the CGI problem I had spread like an evil cancer and took down my entire site! Now I have a brand spanking new server. Yay! Back to blogging! UPDATE: Apparently I am not alone in my blogging difficulties. Instapundit i... Read More
It is incomparable to software such as yourself to promote your favorite product. It's like a doctor boasting about his or her from being able to look at a surprising amount of the site, but no "select" privileges on any of the concerns people ... Read More
Anyone who pisses off Dave Winer is ok in my book, but then I read about this LGF shitstorm and Read More
Anil Dash posted an article with a during- and post- attack commentary on the security breach at the Blogger.com website on 25-Oct-2002. Sobering thoughts for all webloggers everywhere. Read More
I'm getting increasingly worried about Blogger lately. I've since migrated presley, albanydan, and this site from Blogger to Moveable Type, Read More