Blogger: the sock-puppet loophole

Posted by Tim Ireland at 16 January 2007

Category: The Political Weblog Movement

This entry was posted on
Tuesday, January 16th, 2007
at
10:05 am and is filed
under The Political Weblog Movement.

This is being blogged publicly instead of communicated privately for two reasons:

a) I think users of Blogger deserve to know that this loophole has been in place for some time.

b) Blogger Support has let me down badly in the past, and I’m in no mood for yet another generic reply with no follow-up.

If you’re a regular user of weblogs running via Blogger.com, you’re probably already aware of the following:

1. In your comments settings, you have the following choices:
– Only Registered Users (only other registered users of Blogger.com can leave comments)
– Only Members of this Blog (only other registered users of Blogger.com that are part of your group can leave comments)
– Anyone (anyone can post a comment, using any name or nickname that they wish)

Blogger screen capture

2. If your blog is set to allow ‘Anyone’ to comment, this does increase the potential number of comments you receive, but it also allows those posting comments to not only post them anonymously, but also posing as other web users (after all, all they have to do is choose ‘Other’ and enter a name and domain).

Blogger screen capture

In any system that allows for unverified comments, anybody with half a brain can claim to be Fred Nurk from nurkindustries.com – and this is just such a system. So far, nothing new and alarming…

However…

While these types of claims to one identity or another are viewed with healthy scepticism, I fear too much trust is placed in the authenticity of comments apparently posted using a Blogger profile… because the system allows you to pose as any user of Blogger, providing that you know their Blogger name and the location of their profile (information that is easy to come by; all you have to do is copy the details from an authentic comment they’ve made).

Blogger screen capture

I’ve created a special test account where you can go and try this for yourself. Click here and go nuts.

The result is a comment posted under the name of another user of Blogger that will be widely accepted as authentic, as (if profile images aren’t being used) it appears identical to a comment made by an actual user who is logged into the system.

And it will have passed through Blogger’s own system without challenge (and yes, it works on both old and new versions of Blogger).

Try as I might, I can’t think of another major community-based website that allows non-members to pose as members within their own system.

Blogger should fix this. And fast.








4 Comments

  1. MatGB says

    Blogger should start supporting OpenID, Technorati already does, and I'm likely to switch my comments to OpenID only fairly soon (Typekey is an OpenID provider amongst others). There's an MT plugin for it as well, would be much appreciated y'know, could log in to comment here proving I'm the owner of my domain, not just a Typekey profile.Had never occured to me to put the 'other' thing in for a blogger profile, such a bad idea to allow it. But that's what you get when you allow different display names to login names.

  2. Manic says

    MatGB – Almost a year later, that's exactly what Blogger.com is testing:http://bloggerindraft.blogspot.com/2007/11/new-fe

  3. MatGB says

    Still in draft, but excellent, I approve. I especially like that they've sold it properly:"if you see an OpenID comment with the URL http://brad.livejournal.com/, you'll know that it was Brad who wrote that comment, and not an impostor."Now all we need is for you to implement the OpenID plugin for MT. OR for me to get off my arse and finally reset up the WP blogs I've got planned all using it as the only accepted commenting method.(Guess who had to click the forgotten password link for his typekey account, again)

  4. Manic says

    "Now all we need is for you to implement the OpenID plugin for MT"*sigh*(raises hand)(admits)My switch to WP is already lonnng overdue. I'm hestitant to change anything substantial until then, given MT's unique ability to fall over the smallest plug-in.But well done for being well ahead of the curve on the Blogger thing.

  • External Channels

  • Page 3 Politics

    Page 3: a short history

  • Main

  • Archives

  • Categories

  • Twitter

  • The Cautionary Campfire Songbook

    The Cautionary Campfire Songbook

  • Badges + Buttons

    religion