Recently an issue was reported to the Vulnerable Extensions List team, which affected the blogging platform for Joomla, Easy Blog. After some thought we decided that it did not fall within the normal definition of a security issue that would merit listing on the VEL. It was reported to us by a site owner whose site had been hit by an unusually sophisticated spam attack: the spammer was taking advantage of Easyblog and Joomla default settings, the result was that they were able to set themselves up multiple accounts as bloggers and create blog posts containing spammy links. In this case these links ended up getting indexed by Google, even though they would not show up to a normal visitor to the site.

 

The first that the site owner knew of this was through Google Webmaster - he found his list of keywords being filled by Polish words related to Spongebob (e.g. spandzbob, ladzie, gniewu, mad max, etc). The site itself is in English. He then looked his website up on Google and found a whole list of bogus blog posts in Polish. Moreover, on checking the backlinks to his site he found a list of similar Spongebob related blog entries on other English language sites. Many of these blog entries still exist, presumably the site owners remain unaware of the spammy content.

Now luckily for this site owner the entries related to quite innocent material: let's face it, who doesn't like Spongebob? So probably the reputational damage to his site is not too great. But Google has a memory, and puts considerable store by site reputation, so if it starts to view your site as being spammy, there is real harm done.

We think that it is the responsibility of webmasters to understand what their site settings allow others to do on their site, which was the main reason why we did not list Easy Blog on the VEL. By default, the current version of Joomla does not allow users to register, however Joomla 2.5 did, and earlier versions of 2.5 also allowed users to self-activate by default. Anyone who runs a Joomla site that has migrated from these earlier versions will have inherited these default settings, unless they have taken the trouble to change them. What apparently some webmasters do not realise is that you do not have to have a registration form published on your site for users to be able to register - a spammer can easily create their own html form and register if your site settings allow this. There are scripts available that will do exactly this.

Prior to version 5.0.5 of Easy Blog, which was released in June 2015, the default settings allowed registered users to create and publish their own blog items. The important thing to understand is that a blog entry does not need to be visible in your site navigation in order to be accessible by Google. You may have a menu item set up on your site that shows only blog entries by an individual user (you), but anyone, including search engines, will be able to see published blog entries by other users by using the appropriate URL for the entries. All that the spammer needs to do is to link to them elsewhere, and they will be picked up by Google.


Now the purpose of this article is not to "name and shame" the developers of Easy Blog, but to make some general points. If there is any shame to go round, it belongs mainly to those dodgy SEO firms who build their business around these kinds of practices, plus the customers who choose to buy their services with no questions asked. I mean, reputable websites do not sell links (at least openly), so if you buy a thousand backlinks for your site, where do you think they are coming from?

So what can be done about this?

Webmasters

Check your site configuration. If there is not a good reason why users should be able to register themselves on your site, disallow it. If you install an extension on your site, check what its default settings allow others to do on your site. Don't just install it, think, well that seems to work: it may come back to bite you.

Users of Easy Blog prior to 5.0.5 can update, or edit the ACL to disallow registered users from creating and publishing. Also use Google Webmaster to check keywords related to your site: if you find references in Polish to a certain rectangular aquatic sponge cropping up, don't say we didn't warn you.

Developers

Choose default settings that protect your users. We know that it is tempting to make everything easy to do with the defaults, because it avoids those irritating support questions from people who cannot be bothered to read the manual, but resist that urge.

Joomla

Well thankfully the defaults for Joomla no longer just any Tom, Dick or Harriet (or indeed Pedro or Nikolay) to register an account.