March 7, 2003
(IDG News Service)
Pyra Labs Inc. patched a number of security holes in its Blogger Web-based publishing tool this week that could have enabled a hacker to publish on Web logs owned by others.
The holes were discovered by celebrated hacker Adrian Lamo, who reported them to San Francisco-based Pyra, according to a statement on the Blogger Web site. Search engine company Google Inc. acquired Pyra in February for an undisclosed amount.
At least one of the vulnerabilities could have enabled a hacker to circumvent a process that prevented new users of Pyra's BlogSpot Web log hosting site from using a Web log address of an existing user, according to a report published on Symantec Corp.'s SecurityFocus Web site.
By changing a hidden field in the user's Web browser to contain the address of an existing Web log, an attacker could replace that Web log with his own material.
Another security hole discovered by Lamo would have allowed hackers to add themselves to the list of those authorized to maintain Web logs, according to SecurityFocus.
Given the growing popularity of Web logs hosted by journalists, celebrities and pundits in recent years, the Blogger security holes take on new weight, creating the possibility that hackers could supplant the opinions of well-known personalities and opinion-makers with their own.
Pyra's acknowledgment said the problems reported by Lamo had been resolved. "We have fixed the security issues and Blogger is better for it," the message read, in part.
Pyra also lavished praise on Lamo for reporting the problems to it before they were publicized, calling Lamo a "good guy hacker" and saying "Adrian rocks."
A review of the Blogger logs indicated that none of the problems reported by Lamo were exploited before being patched, Pyra said.