I received a request from BlogMeme to become co-author of the community. I was thinking that it’s a clean invitation ( I mean an invitation with no negative intention like spamming, etc). But, ShoeMoney revealed that it’s a MyBlogLog exploit.

If you look at my profile on MyBlogLog You will see 2 sites that I did not add.

I wonder if Yahoo could be possibly liable here because basically Yahoo is saying that I said I own these sites… yet I did not…

Check out Jason Calacanis community. Evidently in addition to calacanis.com he also owns and authors seoadwords.com …. right….

So what else can people do with cross site xploits on mybloglog? Oh I think we are just seeing the tip.

The exploiter on this explains:

Choose ad a Co-Author, type in the MyBlogLog member name. (for example: Shoemoney). This sends out a e-mail to the user account with a link add yourself as a co-author. Now most people won’t open them, or they get picked up as spam.

Now exam the link:
http://www.mybloglog.com/buzz/add_author_conf.php?sid=&mid=
SID = Site ID, which is the community you author
MID = Member ID, which is the member the e-mail went to

Now, if you open that url, it will automatically add the author, no clicking, no form etc.

If you send author requests to a bunch of people. For example, yourself. Then find their memberID, your own SiteID, and insert them into the url, open in a browser. Bam, you have new authors on the community.

I am thinking if I will use this exploit…

• Sign up for PayPal and start accepting credit card payments instantly.
  As the world's number one online payment service, PayPal is the fastest way to open your doors to over 150 million member accounts worldwide.
• Promote your product to high quality, targeted websites and blogs.
  Find effective, influential blogs and highly targeted audiences to advertise.Choose to display your ad across entire blog networks to maximize your exposure to a wide audience; Make easy and secure payments with PayPal. All major credit cards accepted.