Old MyBlogLog Plugin ‘MyAvatars’ Has a Spam Vulnerability – Update Immediately

PeterM reported me a spam email problem, which I tracked to be problem of the old v0.1 MyAvatars plugin for WordPress. If you are using MyAvatars plugin to display MyBlogLog images in your blog, make sure you have the latest version. The plugin can be downloaded from here: napolux.com.

In the old version 0.1 the user emails were displayed like “mailto:some.user@somewhere.com”, which lets spam machines to steal email addresses from blogs and then spam to them (if a person who made a comment and gave his email, it was exposed to potential spammers because of the plugin). In the new version 0.2 this problem has been fixed.

One way to check to see if a blog is using an old version. In each comment, there is a small avatar icon near each comment. In the v0.1 (vulnerable) version you could see the following image for those who don’t have a MyBlogLog avatar:

In the new fixed version 0.2 the image is different for those who don’t have an account:
(I’m not 100% sure if this is the way for people to know the version, but I’m pretty sure you can spot the old version by checking the images)

If you know some blogs using MyAvatars plugin (a blog that displays those images) I recommend contacting the blog author and telling them about this problem. I’m sure they would greatly appreciate your effort. I know I did.

Juuso Hietalahti