As blogs go mainstream, Internet ills will follow.
Some of Blogspot bloggers have become unwitting vectors for spyware, an Internet expert charged this week. And he thinks Google should take a stand.
Blogspot is the blog hosting service associated with Blogger, the Web log authoring and publishing business Google
acquired in 2003. Ben Edelman, a Harvard Ph.D. candidate and spyware expert, charged that Google has done nothing to fix a flaw in Blogger coding that has made its blogs a haven for spyware and adware.
According to Edelman, while Google prohibits JavaScript in blog posts, it allows it in headers and navigation bars — enabling Elite Toolbar and Crazywinnings, two pernicious adware installers, to do their dirty deeds. He said he reported the problem to Google last week, while Blogspot bloggers have complained since last September.
A Google spokeswoman confirmed that the company was aware of the issue and still looking into it, but had no further information to share.
Edelman said the problem stems from one particular company, iWebTunes, which offers bloggers the ability to have music play when people access their blogs. But those who opt in become spyware delivery systems, as iWebTunes hits unwary visitors with warnings to upgrade their browsers to prevent spyware. But clicking “yes” installs adware and spyware, including Elite Toolbar and CrazyWinnings.
According to the iWebTunes Web site, the free service lets registered users choose a music file from its server to be played on the user’s Web page. The company provides no contact information on its site, nor is there information at whois.net.
“These guys are dirty,” said James Manning, spyware research director for Aluria Software. He said iWebTunes sends users a snippet of JavaScript code to add to their own sites’ code. But it includes not only links for SearchMiracle, purveyor of the Elite Toolbar and Crazywinnings, but also update links. Every time someone hits a site containing iWebTunes JavaScript, he’s hit with more stealthy installs.
Manning said that while most adware distributors bury notifications somewhere in their user license agreement, iWebTunes provides no notification at all. “These people have no idea what they’re putting in their Web sites,” he said.
It gets worse: Even cautious visitors who click on iWebTunes’ privacy policy via Internet Explorer get hit with the nefarious pop-ups, which exploit flaws in IE.
While iWebTunes may be bad news, it’s not a Google-specific problem, nor one especially related to blogs. Spyware is a parasite on all Web infrastructure.
But Edelman said he holds Google to a higher standard, because of its highfalutin corporate messaging about “doing no evil,” as well as the kind of blogger it attracts.
“Google has aspired to create a safer version of the Web on Blogspot,” he said. “There’s no official statement from Google certifying they have no porn or spyware, but because it’s Google, you feel like you can trust it at least a little bit.”
At the same time, because Blogger offers dirt-simple blogging tools, it attracts unsophisticated users, Edelman said, and Google should work harder to protect them. “People who may not be able to tell the difference between spyware and legitimate free music to publish on their Web pages are in the position to make decisions precisely because Google is giving them the tools,” he said.
The Blogger Navbar, which contains a search bar, a button to instantly blog a posting, and a “next blog” button, makes things riskier. Clicking on “next blog” takes the user to another random blog also containing the Navbar. That could be a blog the user would never have chosen to visit — and it could be one running iWebTunes code.
As any technology becomes mainstream, it inevitably will be beset with uglies. A report released earlier this week by the Pew Internet and American Life Project said that spam via instant messaging, or spim, has reached nearly one-third of users.
Meanwhile, security companies and the media continually warn consumers to install spyware and avoid saying “yes” to pop-ups. The anti-spyware market is expected to grow to $305 million by 2008, according to IDC. They’ve also been advised to switch to Firefox, the open-source browser that has not — so far — been as prone to exploits, although it has its own problems.
But Edelman doesn’t blame naive users who click “OK” on the pop-ups for their spyware woes, or those who continue to browse with IE. “It’s a mess that Google has at least created on Google servers,” he said. “And it’s a problem that Google is uniquely in position to control. Google could flip a switch and make this stop tomorrow.”