|LJ OpenID loophole
||[Mar. 25th, 2007|03:24 am]
I get several anonymous spam comments on this blog every day, but they don't show up because they're screened by default. If you ask LJ to screen anonymous comments, it doesn't screen comments from OpenIDs (although the comment posting form claims it does). This is silly, because anyone, including a spammer, can set up an OpenID identity server. That's sorta the whole point of OpenID.
Even better, there are anonymous OpenID servers
around, which provide disposable IDs with no authentication
. Go ahead, try it out, post a reply to this page by selecting OpenID in the From: field, and "http://www.jkg.in/openid/anything
" as the URL. It won't ask you for any sort of password, and the comment will show up even though I'm screening anonymous comments. Kinda silly, isn't it?
Shows you how stupid spammers must be if they haven't figured this out yet.