March 07, 2003, 11:08 AM — Pyra Labs Inc. patched a number of security holes in its Blogger Web-based publishing tool this week that could have enabled a hacker to publish thoughts on Web logs owned by others.
The holes were discovered by celebrated hacker Adrian Lamo, who reported them to Pyra, according to a statement on the Blogger Web site, http://status.blogger.com. Search engine company Google Inc. acquired Pyra in February for an undisclosed amount.
At least one of the vulnerabilities could have enabled a hacker to circumvent a process that prevented new users of Pyra's BlogSpot Web log hosting site from using a Web log address of an existing user, according to a report published on Symantec Corp.'s SecurityFocus Web site.
By changing a hidden field in the user's Web browser to contain the address of an existing Web log, an attacker could replace that Web log with his or her own musings.
Another security hole discovered by Lamo would have allowed hackers to add themselves to the list of those authorized to maintain a Web log, according to SecurityFocus.
Given the growing popularity of Web logs hosted by journalists, celebrities and pundits in recent years, the Blogger security holes take on new weight, creating the possibility that hackers could supplant the opinions of well-known personalities and opinion-makers with their own.
Pyra's acknowledgement said the problems reported by Lamo had been resolved.
"We have fixed the security issues and Blogger is better for it," the message read, in part.
Pyra also lavished praise on Lamo for reporting the problems to them before they were publicized, calling Lamo a "good guy hacker" and saying "Adrian rocks."
A review of the Blogger logs indicated that none of the problems reported by Lamo were exploited before being patched, Pyra said.