Comments on: Prevent Blogspam in MoveableType using Flash

By: JesterXL

JesterXL — Mon, 02 Oct 2006 16:48:25 +0000

Nice one, Nick! After 20 months, someone finally figured it out.

By: Nick Williams, yet again

Nick Williams, yet again — Mon, 02 Oct 2006 06:58:46 +0000

1) you could simply automate the posting by snagging the entry ID from this page's html source, and using it with this 2) You could craft a url on-the-fly, like this one, that would post a comment. The fact of the matter remains that this method will never be secure if it is ultimately accessing a URL that is not guarded from such an attack. It will only be useful on blogs that are not currently targets of spam. And, if I were a spammer, all blogs that had this flash file would now be a target.

By: Nick Williams

Nick Williams — Mon, 02 Oct 2006 06:28:54 +0000

The answer is: not much.

Your secret key is ‘else89ford04’.

This could be automated very easily by searching the html source for your swf file, then altering the parameters so that it sends the data to my own server. At which point, I could then craft the URL to post directly to your blog.

By: Nick Williams

Nick Williams — Mon, 02 Oct 2006 06:26:35 +0000

What prevents me from listening in or using Firefox’s TamperData plugin to determine what your flash file is sending?

By: aasdfasf

aasdfasf — Mon, 02 Oct 2006 06:24:28 +0000

asfasdfs