Wednesday, August 06, 2014
A "spam" comment gets past Blogger's usual notification and security procedures; a significant security hole?
Yesterday (Tuesday, August 5), I received an odd comment in my moderation queue on Blogger for my “BillBoushka” blog (see profile), on a posting having to do with revenge porn. The posting also mentioned the recent Middle East (religious) conflict. The comment was a long exposition about some Christian teachings, especially regarding St. Peter, and it didn’t seem relevant, except maybe in the respect that a good Christian would not post revenge porn. I had not gotten the usual email notification on AOL, and it had come from a Blogger member with a Google account, and had not been marked as a spam comment.
Blogger comment moderation often will mark anonymous comments as spam comments. In those cases, an email notification to AOL appears, but the comment does not appear in the moderation queue, and it is not possible to override the spam classification from the email. (We can argue why I don’t use the gmail account; I just think there is more security in using two separate companies for the process.)
I allowed the comment. Almost immediately, I found an item in my spam folder on AOL called “message” saying “hello you have received a comment from your message on blogpost”. I did NOT receive the usual notification from Blogger to my AOL inbox, which provides a dynamic link to the post so I can easily check the comment.
I checked the spam message on an older (XP) computer on which I don’t do any essential work now. I clicked on the embedded link, and McAfee Site Advisor (that older computer has Site Advisor and Kaspersky) blocked it, saying that the domain was a known for phishing. It’s hard to see what the point of the phishing attack might have been.
I checked the person’s account on Blogger. He had a legitimate blog on Christian materials, and, from comments that I could find from Google, has generated some controversy. (I’ll let the reader gumshoe this on his or her own; this posting isn’t to attack anyone or their beliefs.)
I removed the comment (although the blog posting still shows that a comment had been removed by the Blog Administrator) and wrote a comment myself, explaining what had happened. I did get a proper notification from Blogger through my AOL email account, and it behaved normally. I also found a similar comment on this blog in May 2014, which I also “removed” for safety.
One possible concern could be this: Could an attacker pose as that person by signing on to his account and then get around Blogger security to send comment spam, to get that person in trouble or harm the person’s reputation? I would think that the two-step verification for Google accounts would stop this. (By the way, Microsoft accounts seem to use two-step verification now, too.)
One another small site that I have (billboushka.com), I sometimes get comments slipping by moderation on an old Wordpress blog. On my newer Wordpress blogs, I use Askimet to filter spam comments. So far, no comments have gotten past moderation and most spam has been flagged.