Bad Blogger.com Security Model
Security: Hey user auth systems! If you’re going to require me to sign in, and publish my login as a signature to prove that I’m ‘me’, please do me a favour — don’t delete the account if it’s been ‘inactive’, and allow anyone to re-register that name without my knowledge!
I just tried to leave a comment on a Blogger.com weblog, to find that my user account at Blogger had been deleted. Re-creating a new account with the same name wasn’t a problem – the previous account data had been simply deleted outright. (Presumably they don’t do this to people with a Blogger.com weblog — I hope.)
The risks of this are pretty clear; given that I’d already established an identity (at least in comments on certain Blogger weblogs) as ‘justinmason23′, if an attacker were to have re-registered that identity before I did, they could impersonate me.
Tags: account, auth, blogger, com, hey, identity, login, name, security, user, weblog
jazz said,
June 24, 2008 @ 7:01 am
i have an old account on blogger and it has my name on it and i wanted it deleted like crazy. but i havent been on it for 2 years. and i forgot my username and password and the email it was for. and i’ve tried figuring it out for hours and now im out of luck. i hate it because it makes me nervous to know that its on there…and i just want it gone. is there any way to solve this? can i contact the people of blogger via email and tell them to delete my account? anything like that? because i really want it to be gone, if you can help or anything of this sort..please leave comments and such and i will definitly check back. thanks.