Friday, May 14, 2010

Security Vulnerability In Mail-to-Blogger Passwords

Two months ago, Blogger issued a typically terse warning of a security problem, with blogs that use Mail-to-Blogger for publishing posts.
To prevent abuse, a recent update to disabled easily guessable secret words. Please update your Mail2Blogger secret word.

I've referred to the importance of the "secret word" some time ago - and apparently this year, a few blogs are being hit by the vulnerability.

If you are using Mail-to-Blogger for publishing - and especially if you enabled "Publish emails immediately" - this is a change which you need to make. There is apparently an organised attack underway, where blogs, owned by accounts with weak "passwords", are being used as spam hosts. In some cases, this results in splog detection, with the well known and hated 4 step process being required, to get the blog unlocked - then cleaned.

If your blog uses Mail-to-Blogger, and you have selected "Publish emails immediately", please change your Mail-to-Blogger password, to something not easily guessable.
  • First, do not use details from your real life, like your social security number, street address, name of husband / wife, and so on. If you can remember it, the bad guys can - and will - guess it.
  • Second, avoid words found in the dictionary of your native language. Dictionary based password guessing is a very popular technique used by many hackers.
  • 12 to 24 character random strings, combining letters, numbers, and special characters, are best. It's your blog, just know the risks - and learn to live with the limitations. See WikiPedia: Password strength, for more details.

Just please - do this before you have to post, following organised brute force hacking, in Blogger Help Forum: Something Is Broken
Please, help me! My blog is locked!!

>> Top

Dude, hit me with a comment!

Yudi Helfi said...

I have tried to disable mail to blogger.. may it works. Thank Your for your advice..

Luciano dos Santos said...

thanks for your help. I have now disabled mail2blogger.....