Monday, March 26, 2007

Google, don't be evil; leave that to blogger

This comment on dcubed, by someone apparently replying to himself, flummoxed me momentarily: "Can you please stop using my id. I thought you had stopped after my last appeal, but you have showed up agin."

Had this poster given out his password to an unpleasant character? Why didn't he just change it? Or is blogger trivially crackable? Can I log in as anyone I like?

Then I realised that while I can't do that, I can impersonate anyone I like, and the results are indistinguishable from genuine comments. (I'm not telling how, but it's trivial.) While one can forge email headers, the results can be detected by the savvy; here, there seems no way to do so, unless one has access to Google's internal logs. There seems, also, no way to disable this "feature", short of disabling anonymous comments totally.

Blogger sucks. It sucks in many, many ways (one of these days I shall count the ways), but this one is the most egregious I've seen so far.

8 comments:

Space Bar said...

rahul,

just out of interest, i'd like to know how? (you could mail me?) i had a case of someone who would imitate my blog name, template etc. a couple of years ago. i deleted that blog, and subsequently, opened comments on ym current one only to bloggers. i find this kind of thing a little weird and frankly, scary. you don't have an email on your profile, or i'd mail this to you.

Dilip D'Souza said...

Rahul, actually the results are distinguishable from genuine comments by someone who has logged in: if you have a picture associated with your blogger id. See comment below, you'll know what I mean.

Dilip D'Souza said...

Rahul, actually the results are distinguishable from genuine comments by someone who has logged in: if you have a picture associated with your blogger id. See comment above, you'll know what I mean.

Abi said...

Damn, you are right! It *is* trivial.

I realize that Dilip has got here first, with an insight about the pictures associated with the blogger account.

Rahul said...

space bar -- I guess you can't do anything about someone opening a new blog in your name copying your template. If they are using your real-life name, you could conceivably make a complaint to blogger about impersonation (it is probably illegal). But I don't know how easy it would be to pursue it.

As to how to spoof comments, figure it out... dilip's comment should offer a clue.

dilip - good point. I should upload a picture of my own. However, I see the picture only on the "post a comment" page, not on the original page (where your two comments seem indistinguishable to me).

Rahul said...

dilip, ps - and before you ask, I do have "yes" for "Show profile images on comments?" in my settings. I suppose it applies only to the "post a comment" page. Maybe it's to do with my template (it's true of your blog too).

Jai_Choorakkot said...

Rahul,

I am the blogger that is being stalked there- usually the first in the series of "Jai" comments is mine, the rest are this guy asking me to quit, and talking to himself since I dont bother to respond.

As space bar said here, its scary.

Thank you for working out how it is done. I am authentic enough not to want to know how to do it, but could you please tell me how to stop it if there is a way.

Does the photo feature help? I'll try linking an image. I dont know enough of blogger to even do this.

If there is a safe way to exchange email IDs to correspond with you privately if possible, I would really appreciate it.

regards,
Jai

Rahul said...

Jai,
If this is your real name, you could complain to blogger and/or the police. It is certainly a crime to impersonate you, and recently Google has been cooperating with the Mumbai police on fake Orkut profiles. The only question is whether they'll consider your complaint serious enough to investigate.

For a less extreme step, of course, there's the photo (as Dilip suggests).