Old MyBlogLog Plugin ‘MyAvatars’ Has a Spam Vulnerability – Update Immediately

PeterM reported me a spam email problem, which I tracked to be problem of the old v0.1 MyAvatars plugin for WordPress. If you are using MyAvatars plugin to display MyBlogLog images in your blog, make sure you have the latest version. The plugin can be downloaded from here: napolux.com.

In the old version 0.1 the user emails were displayed like “mailto:some.user@somewhere.com”, which lets spam machines to steal email addresses from blogs and then spam to them (if a person who made a comment and gave his email, it was exposed to potential spammers because of the plugin). In the new version 0.2 this problem has been fixed.

One way to check to see if a blog is using an old version. In each comment, there is a small avatar icon near each comment. In the v0.1 (vulnerable) version you could see the following image for those who don’t have a MyBlogLog avatar:

In the new fixed version 0.2 the image is different for those who don’t have an account:
(I’m not 100% sure if this is the way for people to know the version, but I’m pretty sure you can spot the old version by checking the images)

If you know some blogs using MyAvatars plugin (a blog that displays those images) I recommend contacting the blog author and telling them about this problem. I’m sure they would greatly appreciate your effort. I know I did.

5 thoughts on “Old MyBlogLog Plugin ‘MyAvatars’ Has a Spam Vulnerability – Update Immediately

  1. [...] Yes – it’s shameless, but I’m not above it. Hell, most of you think I’d hack my own site for links (kidding, kidding) Please join mybloglog community. I can’t honestly say there is much in it for you except a sincere thank you:) The truth is, I just wanna see if I can get up in the ranks of Graywolf, who has cracked the top 50. I also wanted to take this opportunity to post about a security issue that Jusso thankfully alerted me to. Make sure to upgrade your “MyAvatars” plugin if you are running it on your site. The old version includes your users “mailto” address (not cool). For more on the problem, see Jusso’s post, and download the latest version of myAvatars. I love Social Media! – Votes are noticed and appreciated:These icons link to social bookmarking sites where readers can share and discover new web pages. [...]

  2. Yes, notice that the “default” image can be changed editing the plugin’s code…