CiteULike’s dirty MD5 trick?
I am becoming more and more disappointed with CiteULike. Here’s my latest complaint:
They recently added a hidden field with MD5-coded junk in the copy/post page. The code is at the bottom of the HTML code. I fyou ommit the field of the two junk MD5 strings are changed, it refuses to post.
input type="hidden" name="url" value="">
<input type="hidden" name="xEB86E36DE8AE7558C4AAF9ED5F957FA84" value=""/>
<input type="hidden" name="src_username" value="josephgentet">
</form>
</div>
<script type="text/javascript">
<!–
document.frm.xEB86E36DE8AE7558C4AAF9ED5F957FA84
.value = hex_md5(’128772AFB86912A164500…76D2F416D1FF3D’);document.frm.tags.focus();
–>
</script>
What is this new feature for? Security? Since it’s right there in the source code, anybody can get this code. I can’t think of any other reason but to curb attempts to automate some of the steps.
I wrote a GreasyMonkey script a couple of years ago, which along with other things, adds "copy to my library" buttons to any entries on CUL site that is not currently on my library. I could also add tags right there. It uses AJAX to assemble the form required for the "copy/post" page and then post directly. If you use CUL, you know how much time and clicks it saves … or it used to save.
Now with the new MD5 dirtytrick, it breaks the script. I can fairly easily mend the script — just load the copy/post page, get the DM5 string, and post it. Simply more time and unnecessary traffic. I also found that the junk field name doesn’t change between sessions. It perhaps encodes my username or something. Like I said, the whole thing is not a security measure at all and is easy to bypass.
One has to ask why.
CUL recently has been putting up googld ads. Is this a new way to drive up page counts? If this is where it is going, then they have just lost me.
[Update]
I didn’t expect any audience of my rumbling, but I got 2 comments from CUL team the next day I posted this. I appreciate your explanantion. And I crossed the d-word in the article. Yes, I think I can deal with it, but right now my "Copy to my library" GM hack is still broken. Just to show how much I miss it, here’s what it looks like (the 2nd "getit@duke" image was added by another script Duke LibX ). Maybe someone can implement it directly in CUL?
February 1st, 2008 at 10:54 am e
Gary,
This was implemented as anti-spam device and was never meant to get in the way of real users like you. We have had a huge amount of spam targeted at CiteULike and are hopefully winning. It sounds like you have already solved the problem for yourself, but please understand that our intentions were good. Maybe we should have let all the legitimate users know before we did it.
Kevin
February 1st, 2008 at 1:53 pm e
I’m one of the CiteULike developers. I’m sorry that you’re upset at the simple anti-spam measures that we are using at the moment. The change in question is designed to stop some of the more imbecilic spammers from posting to CiteULike with scripts. As such, it has been reasonably successful. You are the first “collateral damage” that we’ve heard of and for that I’m sorry. As I’m sure you know, spammers are the scourge of many “social” sites. We believe that it is in all of our users’ interests to take as many measures as possible to remove spam from CiteULIke. The combination of some automatic and some manual spam filtering means that CiteULike is, to all intents and purposes, spam-free at present. We work very hard to maintain the status quo.
As for the Google ads, they’re simply a way of defraying some of our costs - perhaps this is why they also appear at the top of this page?
February 1st, 2008 at 10:01 pm e
Hi Kevin and CUL Team,
Thanks for your clarification. And I updated my post. I also added a screenshot of the “copy to my library” hack. See above. It would be great if you guys can do something like that or better.
– gary