Skip to main content

Security Vulnerability In Mail-to-Blogger Passwords

In early 2010, Blogger issued a typically terse warning of a security problem, with blogs that use Mail-to-Blogger for publishing posts.
To prevent abuse, a recent update to disabled easily guessable secret words. Please update your Mail2Blogger secret word.

I've referred to the importance of the "secret word" some time ago - and apparently this year, a few blogs are being hit by the vulnerability.

If you are using Mail-to-Blogger for publishing - and especially if you enabled "Publish emails immediately" - this is a change which you need to make.

There is an organised attack technique, where blogs, owned by accounts with weak "passwords", are being used as spam hosts. In some cases, this results in splog detection, with the well known and hated in forum triage being required, to get the blog unlocked - then cleaned.

If you are inadvertently using an author account, instead of your owner account, you may have enabled Mail-to-Blogger, while trying to recover control of the blog. Whether accidentally or intentionally, your blog is now vulnerable.

If your blog uses Mail-to-Blogger (Settings - "Mobile and email" - "Posting using email"), and you have selected "Publish emails immediately", please change your Mail-to-Blogger password, to something not easily guessable - but reliable. If you don't need to post using email, select "Disabled".

Just please - do this before you have to post, following organised brute force hacking, in Blogger Help Forum: Something Is Broken
Please, help me! My blog is locked!!

Comments

Yudi said…
I have tried to disable mail to blogger.. may it works. Thank Your for your advice..
thanks for your help. I have now disabled mail2blogger.....
KOKO said…
how do we disable mail2blogger
Nitecruzr said…
Hi Habibu,

Thanks for the question.

The "Disabled" selection, for "Posting using email" will disable M2B, and make your blog safer. Or you can make the "password" a bit harder to guess, if you really want to post by email.

Popular posts from this blog

What's The URL Of My Blog?

We see the plea for help, periodicallyI need the URL of my blog, so I can give it to my friends. Help!Who's buried in Grant's Tomb, after all?No Chuck, be polite.OK, OK. The title of this blog is "The Real Blogger Status", and the title of this post is "What's The URL Of My Blog?".

Leave Comments Here

Like any blogger, I appreciate polite comments, when they are relevant to the blog, and posted to the relevant article in the right blog. If you want to ask me a question thats relevant to blogging, but you can't find the right post to start with (I haven't written about everything blogger related, yet, nor the way things are going I don't expect to either), ask your questions here, or leave an entry in my guestbook.

As noted above, please note my commenting policy. If you post a comment to this post, I will probably treat it as a "Contact Me" post. If you have an issue that's relevant to any technical issue in the blog, please leave a comment on the specific post, not here. This post is for general comments, and for non posted contact to me.

If the form below does not work for you, check your third party cookies setting!

For actual technical issues, note that peer support in Blogger Help Forum: Something Is Broken, or Nitecruzr Dot Net - Blogging is, almos…

What Is "ghs.google.com" vs. "ghs.googlehosted.com"?

With Google Domains registered custom domains becoming more normal, we are seeing one odd attention to detail, expressed as confusion in Blogger Help Forum: Learn More About Blogger.My website uses "ghs.google.com" - am I supposed to use "ghs.googlehosted.com", instead?It's good to be attentive to detail, particularly with custom domain publishing. This is one detail that may not require immediate attention, however.