MyBlogLog Apologizes
MyBlogLog has apologized and reinstated Shoemoney's account. The MyBlogLog widget has returned to the sidebar.
A lot of people I respect immensely have written in to tell me that I screwed up, and after a point, it becomes impossible to avoid the truth. We banned Shoemoney originally to keep him from updating his list of User IDs on Wednesday night, which I think was the right thing to do. But after fixing the exploit, I should have unbanned him and thanked him for finding it. But I didn't. I screwed up.
***Original post follows***
Since Yahoo acquired MyBlogLog, they've done a superb job of angering and alienating their early supporters. A month ago, Yahoo's Jeremy Zawodny called Andy Beal a spammer on his personal blog (and later publicly apologized). Over the next few weeks, MyBlogLog saw a marked increase in real spammers exploiting weaknesses in MBL's system, including a recent rash of unwanted co-author requests. But things started to get really ugly in the past 2 days:
- Jeremy "Shoemoney" Schoemaker was banned for disclosing MyBlogLog user ids (which were already visible to anyone on MyBlogLog's own site)
- Andy Beal announced a boycott of MyBlogLog in response to Shoemoney's banning.
- Cord Silverstein of Marketing Hipster raised questions about possible spamming of MyBlogLog on Yahoo's part.
- Micheal "Graywolf" Gray joined Andy's boycott.
While it won't have nearly the impact of Andy or Micheal's actions, I'm joining them by removing the MyBlogLog widget from this site. Whether or not it returns is entirely up to MyBlogLog and Yahoo, and how they choose to deal with these issues.
I urge other users to do the same. We trust Yahoo/MBL with an enormous amount of data about our browsing patterns and those of our users, and I don't think it's too much to expect a little accountability in return. Let's send them a message.
Cord Silverstein wrote:
Kevin,
First off, thanks for the shout out. I don't know if I necessarily agree with the boycotting of MBL. I agree since their purchase, they have hit some rocky issues, but Shoemoney was giving out personal data. I understand he was doing it to make a point, but if that is not a banning offense, what is?
Kevin Henney wrote:
MBL is clouding the issue by suggesting that Shoemoney gave out personal data. Those user ids are still publicly available to anyone, and contain no personal information.
Want to try out the mad hacking skills that Shoemoney used to access this "personal information"? Go to your recent reader widget, or any page on mybloglog, and right click on an avatar. View the properties for the image. See that 16 digit number in the image name? That's the user id.
Shoemoney has disclosed similar vulnerabilities in the past, and each time Eric has left comments to say thanks. See here, where Eric says "Shoe — always nice to see you holding our feet to the fire" or here where he says "Thanks for calling out the spam technique. Fixing this isn’t quite as simple as we would hope, but we’re working on it."
It seems like those would have been great opportunities to say "We'll ban you if you keep disclosing exploits" rather an expressing appreciation.
Andy Beard wrote:
Sorry if this comment is a bit late. I am not sure whether you read my coverage on this, but all they did was block a hacker. If someone was actively hacking my site I would try to do the same.
How about some better link bait, post a list of the Adsense IDs of 300 top bloggers, and show how to generate false clicks.
The IDs are publicly available
Not tied to a single domain
But no one with a brain is going to do something like that because they wouldn't want to rock the boat with Google.
There were a whole load of other issues as well
Kevin Henney wrote:
It's never too late to comment.
I wouldn't do that with Adsense IDs because Google prohibits it in their Terms of Service. They also have a well known history of enforcing those terms.
MBL, on the other hand, had no TOS at the time that this happened. They had also publicly thanked Shoemoney on several occasions for drawing attention to security issues.
I believe they were within their rights to ban him, but I disagree with the way they handled things. Even Eric at MBL has admitted to screwing this one up.
Now that Shoemoney has stopped publishing exploits, is MBL really better off? I wonder how many new security holes have been found, quietly being exploited rather than publicly disclosed.
Post new comment