Thursday, January 08, 2009

Hacking JS-Kit reviews widget

I just installed the JS-Kit reviews system on my blog below. I was amazed to find the following security holes:

1) no CAPTCHA protection on posts. This means you can flood the reviews with bogus reviews and spam. Want to bring down the reviews system? Just write a 4-line script to execute this URL in a loop:

2) Email span the person who posted a comment you don't like! This one is really amazing! Want to send someone 1000 emails anonymously? Same technique as above, just make it a comment instead of a posting, and the person who made the original posting gets 1000 emails!


  1. Hi Geoffrey - Chris here from JS-Kit.

    The reviews product is based on very old code and is due for a major overhaul. Thanks so much for identifying these problems, I will get our engineers to look at them as a matter of priority.

    If you have any other ideas or feedback re: our products, please do not hesitate to contact me ( and we will be happy to get it sorted out for you!



  2. Hi Geoffrey, I am Lev Walkin from JS-Kit.

    1. No CAPTCHA protection on posts: We are using Akismet for automatic anti-spam protection. We don't need to burden our users with something as user-unfriendly as captcha. Our system catches misuse of our comments code and quickly refuses to send more than a handful of messages per period of time.

    2. Same thing with emails.

    3. By the way, Blogger CAPTCHA didn't work while I was trying to leave this message as Anonymous. Was displaying a broken image and returning 404. So much for CAPTCHA. Had to revert to using OpenID.

    Thank you for being alert to security issues though!