Security holes found in Google’s Blogger

Pyra Labs patched a number of security holes in its Blogger Web-based publishing tool this week that could have enabled a hacker to publish thoughts on weblogs owned by others.

The holes were discovered by celebrated hacker Adrian Lamo, who reported them to Pyra, according to a statement on the Blogger Web site, http://status.blogger.com. Search engine company Google acquired Pyra in February for an undisclosed amount.

At least one of the vulnerabilities could have enabled a hacker to circumvent a process that prevented new users of Pyra’s BlogSpot weblog hosting site from using a weblog address of an existing user, according to a report published on Symantec’s SecurityFocus Web site.

By changing a hidden field in the user’s Web browser to contain the address of an existing Weblog, an attacker could replace that weblog with his or her own musings.

Another security hole discovered by Lamo would have allowed hackers to add themselves to the list of those authorized to maintain a weblog, according to SecurityFocus.

Given the growing popularity of weblogs hosted by journalists, celebrities and pundits in recent years, the Blogger security holes take on new weight, creating the possibility that hackers could supplant the opinions of well-known personalities and opinion-makers with their own.

Pyra’s acknowledgement said the problems reported by Lamo had been resolved.

“We have fixed the security issues and Blogger is better for it,” the message read, in part.

Pyra also lavished praise on Lamo for reporting the problems to them before they were publicized, calling Lamo a “good guy hacker” and saying “Adrian rocks.”

A review of the Blogger logs indicated that none of the problems reported by Lamo were exploited before being patched, Pyra said.