Top

How to Surf As Someone Else & Trick MyBlogLog

February 22, 2007 by  

I don’t know why MyBlogLog leaves this vulnerability literally in plain sight.

Jeremy of ShoeMoney shows how you can surf the web as other MyBlogLog members.

If you are using Firefox, locate your cookies.txt file and look for the line that says something like

 

 

 

 

 

.mybloglog.com TRUE / FALSE 120364175 mbl_sid ****************

Where ************* is some string of numbers to identify your MBL id.

If you want to be someone else, just change the string to whoever you want to be. You don’t need to be a member of mybloglog to exploit this bug.

To get someone’s MBL id,

  • visit their page where the MBL avatar is displayed.
  • Right click their avatar and click View or Copy Location
  • You’ll see a URL ending with 200705112235594_avatar.jpg
  • The string of number is the SID

At the moment of this writing, the bug has not been patched.

Update: Eric of MyBlogLog pointed out that the bug has now been fixed.

Did you enjoy this post? Please subscribe via RSS or email.

Related posts

Comments

RSS feed | Trackback URI

4 Comments »

Comment by Eric Marcoullier Subscribed to comments via email
2007-02-22 14:21:00

If you can show me this trick still running, I’ll be glad to investigate. As it stands though, we’ve upgraded all the code and are pretty confident that it’s closed.

 
Comment by Ashish Mohta Subscribed to comments via email
2007-02-22 23:10:17

Whats the use of surfing like that.Its better to know people u went there to see their blog rather than hide

 
Comment by sundait
2007-02-23 09:20:01

Gaman…

Its going to increase your blog visitor if I use your MBL id..LOL :-)

 
Comment by locos
2008-03-11 23:52:34

still not understand how the bug can increase blog visitor

 
Name (required)
E-mail (required - never shown publicly)
URI
Subscribe to comments via email
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.

Trackback responses to this post

Bottom