Update (Arrington): MyBlogLog has responded, apologized and reinstated Shoemoney. Caterina Fake of Yahoo (MyBlogLog’s parent company) has written her thoughts as well. It’s time to move on - and Shoemoney should accept this apology.
Yahoo!’s recent addition MyBlogLog is making news again — and not for another security exploit (that was last weekend) or spammer gaming. Well, it is related to those two topics — Shoemoney, a notable blogger in the affiliate marketing world with a fairly large following of readers that like his insight on all things related to online marketing, has been banned from MyBlogLog.
The real funny thing is that the security hole Shoemoney blogged about had been discovered and posted publicly (in French language — translation here) over a month ago by eMich — yet as of this writing, that user hasn’t been banned. Founder Eric Marcoullier responded to this:
That is truly amazing and embarrassing that someone sent us details of this hack a month ago. I’ve checked my historical email (I receive all the incoming emails) and cannot find it, so it either got spam filtered or lost during my transition to a new laptop. Neither is really no excuse. As you may have heard, we’re hiring a community manager who will help ensure that this sort of oversight will not happen in the future.
There is no policy on MyBlogLog’s website to state when they would ban a member — ironically they stated earlier this week that they plan to create a Terms of Service (TOS), so that users would be accountable for breaking the rules.
Shoemoney has posted various exploits in the past, but it wasn’t til this latest one that Yahoo! decided enough was enough. The exploit he posted about was how you could surf the web acting as another user. Thus, you could change some code on your computer and visit a website with the MyBlogLog recent reader widget installed, and the avatar/profile of any MyBlogLog user you want to be, would appear in that widget. Shoemoney posted the IDs of some notables such as MyBlogLog CEO Scott Rafer, Jason Calacanis, and TechCrunch. By doing this, you could continue surfing your own website using Jason Calacanis, and then after 10 visits to your community (if that default option was still set in the user’s account), Jason Calacanis would be joined to your community — and that would give you some clout.
Getting the IDs isn’t hard — it’s referenced in every user’s avatar image filename (note: this was changed within hours of the Shoemoney post). However, MyBlogLog felt Shoemoney was exposing people’s data and then “urging readers to spoof them.” I wouldn’t say he was urging them, but more that he was showing off.
Shoemoney has been a fan of MyBlogLog — supporting the service with their widget on his website and recently posting a list of 10 things he wanted to see that would help improve MyBlogLog and reduce spam. A couple of these ideas have been implemented as a result of this past weekend’s exploits. Shoemoney isn’t the only user to publicly exploit flaws in MyBlogLog — Michael Jensen showed how easy it was to keep your avatar (which could easily be a marketing message or your logo) on webpages of a website — he did this to TechCrunch (we have since removed the MyBlogLog widget). Jensen wasn’t banned.
The backlash has begun with Internet marketing consultant Andy Beal boycotting MyBlogLog until they reinstate Shoemoney’s profile. He argues that anyone could have looked up the MBL data and that it was hypocritical to expect an email from Shoemoney first (pointing out that notable Yahoo! blogger Jeremy Zawodny didn’t email Andy prior to publicly accusing Andy of being a spammer). Photographer and CEO of Flickr competitor Zooomr Thomas Hawk and SEO blogger Graywolf have both removed their accounts in boycott as well.
Since being acquired by Yahoo!, the once loved independent darling of the blogosphere has been feeling the heat — and now gets lumped with any Yahoo! angst. MyBlogLog is no longer the independent underdog start-up it once was — that role has shifted to the new blood in competitors OthersOnline and Explode.
Editor’s Note: Post by Steve Poland, whose blog Techquila Shots brainstorms web start-up ideas.
See all
Post
Holy Christ, what kind of developer doesn’t encrypt their login cookies? That’s not a security hole, it’s just awful programming.
I have been reading more and more articles lately about how savvy spammers have been getting. There has been articles about how spammers now are able to get a significantly higher amount of email past filters and how the web spammers have been getting better at getting past the search engine’s filters recently. It’s pretty scary…
That’s a mistake. Shoemoney has a lot of influence (especially among the seo / sem crowd), and he’s been a long time friend of the site. Instead of banning him, they should hire him to try and find other holes in the service.
IMHO, the last thing you want is an army of SEOs pissed off at you.
We must all remain skeptical of everything and everybody. It remains true, there is no such thing as a free lunch - if it’s too good to be true, walk away, fast!
Lawrence — agreed.
Sad to see as you mentioned an independant company getting involved with this absolute nonsense.
How do you ban someone who exploits something that hasn’t been built right?
Guess what if it was built secure Shoemoney couldn’t do what he did.
This is like 7 year olds in a school yard. Grow up!
This banning thing was just handled badly - it could have been handled gracefully and the backlash could have been avoided.
Was is Yahoo or did the banning? Does anyone know? Eric has a lot to say about this all over the blogs …
thats f@cked up! i love shoe money blog
Yahoo may be a large company, But they act and look like a shoddy little start-up still trying to get thier shit together.
I turned off MyBlogLog after the spamming got way too annoying. They seem to be weak on the implementation of what seemed like good idea.
Stundubl, another very well respected SEM blogger just pulled MBL:
http://www.stuntdubl.com/2007/.....-faves5-2/
Viral can go both ways…
MBL, you guys need to rethink this right now before this gets out of hand. Apologize on ShoeMoney.com and Threadwatch. Reinstate Shoemoney’s account, and publicly thank him for pointing out the cookie flaws.
Don’t let this go through the weekend.
Could it be MyBlogLog was meant to be nominally hackable from the start, encouraging viral marketing, and Shoemoney just found more ways to exploit the sloppy development work than Yahoo wanted? Spam and MyBlogLog have become synonyms, afterall.
Yahoo needs to come clean and apologize to Shoemoney, even if he went over board.
mybloglog is an annoying, uninteresting and unnecessary service that we should all boycott.
Here’s my take: MyBlogLog grew very, very fast. When a startup does that they tend to make a misstep here and there. In general I like the service, a LOT, and I’m giving them some time to get their stuff in order.
Mike,
There isn’t any *real* technology behind MBL.
I’ve led enough site developments to know that it is not more than 2 weeks of two programmers working 10hr days. And you can’t possibly have a harder and more boring interface as MBL has, so I’ll throw in a better interface too in those 2 weeks.
They’ve had enough time to clean up their acts IMO. Before announcing the Yahoo buy they should have taken couple weeks and fixed things up. At this point it seems like their problems may be so low down that a top-bottom re-coding may be well called for.
Not to mention:
http://www.shoemoney.com/2007/.....ad-clicks/
-Zaid
I’ll be interested to look back on MyBlogLog in a few years time to see if its fortunes proved to be a seminal moment for Web 2.0.
I love MyBlogLog — I’ve expressed that openly and still will. Zaid — you can make those points, but MyBlogLog exploded; might not be A+ technology behind it, but the service has worked and people have loved it.
I’m with Lawrence on this again with his second comment — Eric/Scott, I’d reinstate Shoemoney before this blows way out of proportion; immediately. He has some serious clout — and I’m sure his blog alone has brought you many new users. You don’t have a ToS, you banned him (and haven’t banned the other user that exploited it a month prior — it was in French and the guy doesn’t have the readerbase that Shoemoney has) — and yes, I do think Jeremy could have emailed you guys prior to exposing these flaws … but his blog is also about his skills, so it is somewhat expected that he took the route he took. I’d get him on the payroll for consulting, so he doesn’t expose any further bugs — and rather reports them to you. I’d also look at his recommendations he posted — I believe he truly has good intentions and as I am, is fascinated/intrigued by the service. The only reason he’d work to hack/exploit you (and then publicly post that stuff) is because he believes in you. He’s not going to waste his time on stuff that doesn’t matter. Lastly, where’s Yahoo’s support of throwing their QA team on MyBlogLog to rip the application apart (and fix these security holes)?
Its a really sad way of implementing policies in yahoo’s part. And its getting scary that big companies like yahoo and MS acquire popular open community sites and start applying their policies which the user don’t want. I hope yahoo will listen to the blog community like the Google once did when they had their own results in Google Search.
If we haven’t already, we can all learn from this:
Companies: Don’t implement bureaucratic bigco policies.
People: Don’t try and “game” websites.
I think the whole part about Yahoo using MyBlogLog to track Google AdSense clicks is a lot more controversial. A very muddy pool!
As people have pointed out on the Shoemoney site, the tracking of AdSense clicks is part of the “pro” service offered for a fee that allows the user to see *all* links out of their site. It’s not sneaky (though that’s not to say that the info could not be misused by Yahoo).
I’m concerned that they don’t have a TOS that can be used to justify banning someone and a clearly stated policy of how they will and won’t use information collected about users’ traffic stats. Surely, this is where the big bucks lawyers at Yahoo can provide value. Quickly.
And Shoemoney comes back with another article on how MBL tracks Yahoo and Google Ad click-throughs. He words it in such a way that it sounds devious… but it’s a FEATURE of their system! It’s simply downright childish.
The quick overnight update–
ShoeMoney’s back and is now MyBlogLog’s featured member:
http://mybloglogb.typepad.com/.....hurts.html
We have a TOS, et al.
http://mybloglogb.typepad.com/.....knock.html
And, to be clear, it’s our users that have access to how many clicks occur on their Adsense ad units — the aggregate data is almost useless in this particular case as we don’t know what individual ads get clicked on, just that a click happened in the entire ad unit.
Update: Eric at MyBlogLog has unbanned Shoemoney.
You could always give http://www.milliondollaravatar.com a shot - it’s a free avatar based social networking site (comparisons to MyBlogLog have been made and I guess were inevitable). But I threw in a few unique twists to offer a more original experience.
This was a non-funded project. I designed, developed the entire thing over the course 3.5 weeks (nights and sundays only). (and yes, we’ll have a widget soon but it won’t be hackable)
MyBlogLog really has been getting hammered lately. The underdog companies can perform actions like this and because of the small relatively speaking number of users they have it gathers much news worthiness, but companies like Yahoo make a mistake and its everywhere.
I agree with the first comment made by John.
This is not a serious exploit — This is a case of careless coding and should have been picked up in testing somewhere along the line .. Funny what you miss sometimes.
Shoemoney simply pointed a very simple exploit of the system. I’m really surprised that it didn’t surface sooner. There was no malice in posting this because it’s a really easy fix… Often hacker-types forward exploits to you because not all hackers are bad — Hackers look at things that most normal people don’t and can be a great resource if you show respect to them.
I like MyBlogLog and as a startup, I can appreciate how difficult it is — As least there was an apology offered.. Live and learn..
Won’t comment on the story, since it has already been resolved with Shoemoney’s reinstatement; but did notice something interesting. I had never heard of Caterina Fake before, and so I clicked on the link to her blog. This Yahoo employee has an interesting email address.
Nice observation on the email address Gregg… Did you also notice that there’s no MyBlogLog widget on her blog?
Holy cow, Noel! MyBlogLog’s blog doesn’t have a Flickr badge, either. You think they hate each other?
Hey Steve Poland,
next time get the title right ! it should have been .
…bans blogger
AND NOT
…bans Blogger
im sure the intended meaning was a person who blogs .but it could have meant the company owned by Google which means something different all together.
I would expected TechCrunch of all people to understand these subtle differences .
Cheers .
a well wisher.
There certainly seems to be some misconceptions here
1. MyBlogLog is actually integrated with Flickr already, you can’t call that hate. It seemed to be a fairly secure process, and you had to authorise Flickr to give MyBlogLog access
2. There was background communication by email, and Shoemoney had been asked to give a heads up before posting anything more.
3. Even services like Adsense aren’t totally secure
4. There is a terms of service posted now, linking through to the Yahoo ToS that covers all their sites, and even new services by default
5. Advert tracking service is part of the free features, though if you have the free service on a high traffic blog you are hardly going to notice the clicks in the few positions displayed unless you have an insane CTR on the ads or no outbound links.
6. It is still just the original 5 guys, not Yahoo, and they are tied up in personal moves across the country, setting up new servers, and a reactionary development process forced on them by hackers and spammers. Reactionary development is very inefficient.
A 403 error page is what any sensible web company would show a hacker, and Wordpress blogs do it all the time with plugins like Bad Behavior.
With no terms of service or comments policy, how can you delete legitimate trackback, or even spam on a blog. Most bloggers are guilty of not crossing legal Ts
God save the eMich !
I recently interacted with Google Adsense help about statistics differences between MyBlogLog and Google. The representative working my case never said anything about it being wrong to use MyBlogLog and even referenced it a few times without comment. Here’s the story:
http://www.bradsbits.com/2007/.....fferences/
That’s a mistake. Shoemoney has a lot of influence (especially among the seo / sem crowd), and he’s been a long time friend of the site. Instead of banning him, they should hire him to try and find other holes in the service.
After the rejection, I had an exchange of emails with the director to see if it was worth trying for another source of funds, their ‘fellowship’. I was told that I needed to know someone in his list of referees, but he refused to reveal even one nearby name who I could approach, to begin validating the work and the connected science. I should have seen a clue in the title.