Akismet Backdoor

20 November, 2005

Blog spam is a major problem, and Akismet.com is Matt's way of solving it. I am the lead developer of bBlog so I write this not as a wordpress user, but as someone looking to integrate this service into another blogging platform. I saw the words API / free etc and thought great. But no, I have some serious reservations about this centralised anti-blogspam service.

First, for developers of other blogging systems, it's a bit rich to have to get users to sign up at Wordpress.com. I mean Matt has the domain akismet.com so why sign up on wordpress.com for an api key to akismet.com? Is it something to do with the dispute over wordpress.com after Matt renegged on his promise? Who knows, but it certianly makes it hard for developers of other blog software, I mean why do you need a whole blog just to get an api key?

While investigating if I should consider implimenting an Akismet plugin for bBlog I came across some rather disturbing code. It sends the complete contents of the PHP Superglobal $_SERVER to akismet.com.

It was pointed out on the list last month ( by a geeklog developer )that this raises privacy and security concerns, but nothing was done.

Dirk Haun wrote:

I can understand that you probably don't want to specify exactly what Akismet is looking for in a spam post, but the current implementation (copied and pasted from the WordPress plugin) does send a lot of obviously unnecessary information, as well as some that raises privacy and even security concerns.

I'm also going to filter out the cookies (session cookies, for example, are a touchy subject) and would suggest that the WordPress plugin does the same.

But were they? No. The words 'session cookies' and 'security concerns' didn't seem to phase Matt at all. The Akismet plugin, as implimented sends infomation ( session cookies ) to Akismet.com that allows them to log into your blog. I.e. a backdoor. I'll give Matt the benefit of the doubt that this wasn't intentional. But you really have to wonder about the development process over at Wordpress.org when code like this is added to an open source project without any review, ie.. developed behind closed doors but then released as part of wordpress under the guise of Open Source.

Update: What information is sent to akismet? Neuter Akismet plugin Wordpress.org thread Plugin Trac Ticket * The Trac Ticket says this hole has now been fixed.

Comments