Security holes found in Google’s Blogger

Pyra Labs Inc. patched a number of security holes in its Blogger Web-based publishing tool this week that could have enabled a hacker to publish thoughts on Web logs owned by others.

The holes were discovered by celebrated hacker Adrian Lamo, who reported them to Pyra, according to a statement on the Blogger Web site,

. Search engine company Google Inc. acquired Pyra in February for an undisclosed amount.

Three or four different vulnerabilities were discovered and reported to Pyra in January, Lamo said in an interview Friday.

At least one of the vulnerabilities could have enabled a hacker to circumvent a process that prevented new users of Pyra’s BlogSpot Web log hosting site from using a Web log address of an existing user, according to a report published on Symantec Corp.’s SecurityFocus Web site.

By changing a hidden field in the user’s Web browser to contain the address of an existing Web log, an attacker could replace that Web log with his or her own musings.

Lamo likened the process to reassigning an Internet domain name to a different IP (Internet Protocol) address.

Another security hole discovered by Lamo would have allowed hackers to add themselves to the list of those authorized to maintain a Web log, according to SecurityFocus.

The vulnerabilities affected the Web-based publishing tools that allow Blogger users to update their Web logs and could have been leveraged against Web logs hosted on Pyra’s BlogSpot site or on domains maintained by the Web log’s owner, Lamo said.

Given the growing popularity of Web logs hosted by journalists, celebrities and pundits in recent years, the Blogger security holes take on new weight, creating the possibility that hackers could supplant the opinions of well-known personalities and opinion-makers with their own.

Pyra’s acknowledgement said the problems reported by Lamo had been resolved.

“We have fixed the security issues and Blogger is better for it,” the message read, in part.

Pyra also lavished praise on Lamo for reporting the problems to them before they were publicized, calling Lamo a “good guy hacker” and saying “Adrian rocks.”

A review of the Blogger logs indicated that none of the problems reported by Lamo were exploited before being patched, Pyra said.

The vulnerabilities in Pyra’s Blogger products were not unique to the company, which has “generally sound” technology and took a number of steps to prevent Web logs from being hijacked, according to Lamo.

Rather, the problem is common to many online services that require users to enter data in a number of different stages, for example, when creating or modifying account information, he said.

While checks to validate unique information like an e-mail address or log-in name may be performed at step one, they are rarely rechecked later in the registration process. That design flaw could enable hackers or even savvy users to modify cached account information and effectively hijack existing accounts, according to Lamo.

In addition to Web logs, similar vulnerabilities might be used to take over online property such as log-ins at major Internet service providers, Lamo said.

“It’s something I’ve seen more times than I can count. Hidden form fields are just one example. It’s a common problem in the way people think when they are designing complex systems,” Lamo said.