Jalaj P. Jha

Technical & Miscellaneous Ramblings

Top Commentators List Hijack - What is it ?

with 18 comments

Just recently I started putting up the Top Commentators list on blog. Though normally I don’t go and look for what comments have been caught as span by akismet, I happened to visit the page to find a comment , that seemed to be by Nirmal, lying there. Nirmal is in the Top Commentators list since day one. A second look on the comment revealed something interesting, the url posted with comment was not of Nirmal’s blog and was not by Nirmal hinself. This was an attempt to hijack the top commentators list by someone pretending to be one of the top commentators, but with different email id (email id of original commentator being known only to blog owner) and a different url which sometimes, if hijack is successful, replaces the genuine url by original commentator.

nirmal

What is Top Commentators List, its Hijack and how does hijacker gains from it.

Top commentators list exist on various blogs to encourage various readers into participating in discussion through comments. The commentator in turn gets a chance to show up himself in the sidebar of the blog with a link to his site/blog url if he had provided any. These links are mostly ‘DoFollow’ links (with rare exceptions) that is advantageous in strengthening one’s position in Google ranking.

Everyone is allowed to post comments as long as they add meaning to the discussion and is not just to get one’s link added on sidebar. All bloggers keeping Top Commentators list go through posted comments to prevent abuse, and most either require each comment to be moderated, while some moderate first comment without approval of which none of the comments pass. In all, bloggers confirm that commentators of good repute (at least not bad) only pass through, which our Hijackers here are not! So instead of posting in own name they choose name of a person already present within various comments or on “Top Commentators” list. This way sometimes (or maybe many-a-times) they pass the screening of comments and their comment gets published.

Now once a comment has been published how “Top Commentators” list gets filled? Let me show you here (sorry for getting too technical from this point onwards). The code below comes from the Top Commentator Widget v0.999 available here

Below is the piece of code that queries the comments database to find the top commentators. For this purpose it creates a list in descending order of number of comments posted by each author name. So if a hijacker posts a comment in others name it too is included in the count for the author.

commhijack1

To find the url associated with each author a query is fired for each commentator seeking is url. Some variation of Top Commentators plugin fire a simple select query taking the url of the most recent query. In such a case instead of showing up the original commentator’s url the hijacker’s url is shown in the list and this is what we are talkng here about the Top Commentators List Hijacking. The hijackers are hopping around the blogs featuring Top Commentators firing comments looking for such vulnerability, and once such a blog is traced, they insert comments in name of more than one commentators for various urls they are trying to get link love for. Andy Bailey, also a Top Commentator recently had to remove Top Commentators list following such an attack. The plugin in discussion here is though tougher to crack as it checks for url that was most used to comment (check code below) and thus hijacker cannot succeed with a single comment. But still there remains room for success. If the hijacker posts comment equal to number of comments by original commentator plus one, he gets into the list, and the fact for concern here is that his comments even doesn’t needs to be approved as such a check is not done in this query.

commhijack2

So all bloggers featuring Top Commentators List should make a check by posting themselves a comment with a url different that one of the commentator and posting in his name ensuring that comment passes moderation. Now check if the list is hijacked or not. If yes, you need to take a break or ensure that none of comments pass without strict url checking. For my blog Hijackers please don’t try as firstly the blog is safeguarded by Akismet so there is a lot possibility that your comment passes into spam list immediately. Secondly this blog is hosted on wordpress.com that don’t have top commentators facility and thus the list here is not a result of “Artificial Intelligence” but of real intelligence. :)

How do we fight these hijackers. Simply by using email address as a deciding factor for Top Commentators list. Since email is the only field that is not publicly available, hijackers have little chance to take over. Hope to see modified plugins soon.

Written by jalaj

February 10, 2008 at 5:20 am

Posted in Akismet, Blogs, Comments, Spam, Wordpress

Tagged with , , ,

« RSS Feeds links inclusion
Return Ticket to other Language Via Google Translate »

18 Responses to 'Top Commentators List Hijack - What is it ?'

Subscribe to comments with RSS or TrackBack to 'Top Commentators List Hijack - What is it ?'.

  1. Lol….top commentators also want to hijack..maybe that hijacker want some link love from your site Jalaj

    dott-com

    10 Feb 08 at 6:29 am

  2. As far as I’m aware, if you’ve got comment moderation on then the hijacker would require both the correct name and email address approved. I’ve had comments not go through due to either of these being changed, whereas the URL isn’t a contributor to this process.

    So providing your comments are set to be moderated then you should be safe, as the top commentators plugin checks that the comment has been approved.

    But it’s still a good point to make especially as people using the same name could just contribute to a single placing in the list!

    sarahg

    10 Feb 08 at 11:03 am

  3. @dott-comm - If I was not clear, the hijackers are someone other than the commentator itself, trying to takeover the link that commentator earned by putting in many comments. A hijacker throws in a single comment which sometimes changes the url to his own. I am changing the text appropriately in the post to make myself clear.

    @SarahG - Moderators may sometime overlook the email address/url for commentators who are regular to the blog. Thus appropriate modification to the plugin itself can be of great help in discouraging hi-jackers.

    Jalaj

    10 Feb 08 at 1:43 pm

  4. True, you can’t trust human checking ;)

    sarahG

    10 Feb 08 at 7:45 pm

  5. Caught me! :) . But yes human are more prone to error. While human can learn from error, computer’s don’t, they need human to make them learn. Good thing here is that I don’t update url everytime you or someone else comments, I just update the count and adjust the location. So if a hijacker posts a comment that will go in favour of the original commentator.

    Jalaj

    11 Feb 08 at 1:04 am

  6. It sounds like it’s sleeting, but every time I turn on the outside light & look, nothings happening.

    engtech

    12 Feb 08 at 9:37 am

  7. At least hijackers should have left this post that itself is about them. The comment above is an attempt to hijack another Top Commentator’s position. I have replaced the dots in url with hyphens so that hijacker don’t get a fraction of link-love.

    Hijackers please excuse this blog. Man at work behind the TC list, not plugin.

    Jalaj

    12 Feb 08 at 10:02 am

  8. :lol: how silly are those hijackers. They may or may not succeed, one thing is for sure they will cause a lots of blogs to remove this list.

    Bhumika

    12 Feb 08 at 10:11 am

  9. Oh! Somebody trying to hijack my name!
    You are right, email is the only thing thats not available publicly.

    Nirmal

    20 Feb 08 at 6:40 pm

  10. [...] the Top Commentators plugin, beware of name hijacking. Jalaj first wrote about this last month at Top Commentators List Hijack, and recently I’ve been suffering from this [...]

    Top Commentators List Hijack :: Stuff by Sarah

    8 Mar 08 at 12:12 pm

  11. Jalaj, just wanted to say thanks for this post. This has started to happen to me and your post reminded me of what was happening! I’ve edited the Show Top Commentators plugin for those who can use it and it’s available from my site :)

    SarahG

    8 Mar 08 at 12:22 pm

  12. lol now i understand why certain blogs only allow comments from registered users 8)

    sevenpics

    22 Mar 08 at 12:55 am

  13. Hi Jalaj,

    Just come across your blog and discover that you actually already found out some times ago about this issue.

    I blog about this Top Commentator Widget Problem when I discovered that someone make a comment on a same blog using the same name as me, and in the process, replace my url as a top commentator.

    Nice works :)

    Asia'h Epperson

    24 Apr 08 at 7:57 am

  14. Keep on blogging, we need you. I’ve got so much useful stuff from your blog and really value you opinion in this stuff.

    Bhumika

    8 Jul 08 at 5:27 pm

  15. Lol me too!!!

    SarahG

    31 Jul 08 at 8:53 am

  16. Yes keep posting!!!! Cool reading

    Nirmal

    6 Sep 08 at 10:22 am

  17. Jalaj, I didn’t know about this vulnerability - I suppose I’m not surprised cos some people will always try to take short cuts. But it’s evil, man!

    Rodney Smith

    11 Oct 08 at 2:36 pm

  18. I’ve installed it in my blog and gained a lot of constant commentators and subscribers.

    Atniz

    5 Jan 09 at 7:22 am

Leave a Reply