Heartbleed update

HeartbleedYou've probably heard of CVE-2014-0160, also known as "Heartbleed", a flaw in OpenSSL that could allow theft of data protected by SSL/TLS encryption.

After assessing the vulnerability and doing an investigation of our servers, we have concluded that the Mollom services were not affected. This includes mollom.com, rest.mollom.com, xmlrpc.mollom.com, dev.mollom.com and my.mollom.com. As a result, customers of Mollom are not required to change their passwords or API keys. Although if you are reusing your Mollom password (not recommended) for other services, it is recommended to change your password, in case those other services were affected.

We are constantly looking for vulnerabilities like this, and encourage everyone to report any that we've missed so that we can fix them before they are exploited.

Big Accessibility Improvements for Mollom's CAPTCHAs on Drupal

As everyone who has been presented with a squiggly, impossible-to-read CAPTCHA test knows, solving CAPTCHA tests can be frustrating. For users with visual impairment, this frustration can be multiplied tenfold. In order to support these kinds of users, Mollom provides an audio version of our CAPTCHA, available by default for all Mollom installations that utilize the Drupal or WordPress modules.

However, there were some aspects of our audio CAPTCHAs that we’ve been wanting to improve. For example, users could not use keyboard navigation to tab into the audio player or control audio playback. Also, our instructions led some users to become confused and believe that they had to type in several words of text rather than just a few characters. Many of our problems were due to the usage of an old Flash player for audio that had been put in place to ensure consistent playback of MP3 audio files in the browsers of the day.

Along came HTML5 audio and eventually consistent support for MP3 playback natively. We still investigated a number of existing third party audio libraries, but in the end, decided to keep it simple! Each browser already implements its own audio controls natively. Taking advantage of this allows sites using Mollom to easily apply any existing HTML5 media solution or simply to benefit from browser accessibility enhancements. It also allows users playing the CAPTCHAs to take full advantage of existing accessibility tools that they already use for Internet browsing. We still use an improved Flash player fallback in cases where HTML5 MP3 playback is not supported, but now that player can be accessed and controlled with standard keyboard controls. For those users who still have difficulties, or prefer their own tools, we provide a direct link to the MP3 file for users to play in whatever player they choose.

We understand that despite our best efforts to use an internationalized approach to audio CAPTCHAs, our audio CAPTCHAs may not be appropriate for some non-English language sites. As a result, we have added a new configuration option within the Mollom settings advanced configuration section to disable audio CAPTCHAs altogether. For site owners who simply wish to change the presentation, we have moved the image and audio CAPTCHA displays into overridable Drupal theme templates.

Finally, we now provide a better explanation of how to use the NATO alphabet-based audio CAPTCHAs and ensure that the appropriate instructions are displayed in both image and audio CAPTCHA situations.

We’re happy to provide these updates that will make websites within the Mollom network more accessible and more compliant with modern web standards. Update your Drupal module to version 7.29 (or 6.27 for Drupal 6 sites) to take advantage of the new and improved CAPTCHA presentations. Your site visitors will thank you.

The Future of CAPTCHAs?

It was Halloween last week, and a company called Vicarious has indeed come up with something scary, for those of us who care about content quality: they announced that they’ve developed a tool that can solve 90% of all CAPTCHAs displayed by Google's reCAPTCHA service.

Why is this so scary? According to this academic paper, a good rule of thumb is to consider a CAPTCHA system to be broken if an automated attacker can reach a precision of 1%. Vicarious is claiming 90% precision. If their claims hold up, it means that reCAPTCHA has been broken pretty severely.

The good news: the team at Vicarious says they are not planning to release this technology into the wild.

The bad news: if Vicarious can do it today, the bad guys will also be able to do it soon.

If CAPTCHA-breaking technology like this became widely available, the results would be disastrous for the hundreds of thousands of websites that rely on a CAPTCHA system to fend off content spammers. Sites with user engagement components would be so overrun with spammy comments and fake registrations that they would likely have to resort to shutting off user engagement altogether, unless they came up with an alternate security system.


Anti-CAPTCHA tech is advancing, but so are attempts to build a better “are you really a human?” tests. A team at Carnegie Mellon is working on a new test they are calling a GOTCHA test, which asks users to describe patterns seen in inkblots.

It’s great to have technology like this in the queue, but it’s not ready for primetime yet, so what can sites do today to proactively protect themselves?

Text Analysis + CAPTCHA

If you’re familiar with how Mollom works, you know that CAPTCHA is part of the solution. So where does Mollom fit in a post-CAPTCHA world? CAPTCHA is just part of our approach to content quality, and in fact, it’s actually the backup plan.

Mollom’s primary tool in fighting bad content is sophisticated Text Analysis. Mollom’s Text analysis utilizes Artificial Intelligence to classify each piece of content based on its quality, not on whether it was submitted by a human or a bot. 92.5% of the time, Mollom can do this without needing to show any CAPTCHA at all (which is nice for all the humans out there). It’s only when Mollom is unsure that it will trouble anyone with a CAPTCHA. Most users never have to bother with a CAPTCHA on sites protected by Mollom.

But what about that 7.5% of the time Mollom uses CAPTCHA? In a post-CAPTCHA world, Mollom would have to adapt new techniques. The Mollom team is always working to tune Mollom’s Text Analysis to block a larger percentage of bad content. But there will always be some uncertainty. For those cases, without CAPTCHA, Mollom could possibly implement effective (but burdensome solutions) like email or SMS user verification. These solutions generally lead to a much lower completion rate, and if you were relying on them all the time you’d probably see a big dip in usage on your site, but as a fallback option they may be workable.

Key Points

  • A new technology seems to have broken the Internet’s most prominent CAPTCHA solution
  • Sites that rely strictly on CAPTCHA are going to need to prepare for a post-CAPTCHA future
  • AI-based Text Analysis is one way to avoid the need for CAPTCHA altogether in many cases

Readers, do you think CAPTCHA in its present form will still be playing an important role three years from now? If not, what will replace it? We’d love to hear your thoughts.

Important Mollom Security Notice

Dear Customer,

This is an important security notice from the Mollom team. On August 21, we identified a breach of one of our Mollom servers. Our subsequent investigation showed that unauthorized users gained access to Mollom servers and were potentially able to access Mollom data. Today we have closed the security loophole used to gain access and taken measures designed to prevent future breaches.

Data that may have been compromised includes usernames, account contact information, passwords, Mollom public and private keys, and billing transaction logs. PayPal account information was NOT stored on the affected servers.

At this time, we have no evidence that any malicious activity took place with customer data. To help assure this continues to be the case, in addition to the measures described above, we have changed all Mollom user account passwords.

What You Need to Do

Because we have reset all of the Mollom user account passwords to access the Mollom administrative interface, you will need to reset your password using this URL:

In keeping with security best practices, if you have used your Mollom.com user account password for other sites on the Internet, it is recommended for you to change it in those places.

What We are Doing to Prevent Future Breaches

The security of the Mollom platform is of paramount importance to us. We are conducting a thorough review of our procedures and will be arranging additional external security audits above and beyond our normal schedule to further test our security measures and give you peace of mind. Check back here for updates as they become available.

Thank you,
The Mollom Team


2013-08-24 01:12 CEST:
A recent security notice that we delivered in an email was mistakenly sent in HTML. This notice contained several redirected links. We have received queries regarding the authenticity of the email, but please be assured that the information on this page is accurate. We apologize for any confusion that our notice may have caused.


What happened?

The Mollom team has identified unauthorized access to user information on Mollom.com, which occured via third-party software installed on the Mollom.com server infrastructure.

What information of mine was exposed?

The information includes usernames, account contact information, encrypted passwords, Mollom public and private keys, and billing transaction logs. PayPal account information was NOT stored on the affected servers.

However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.

Was my PayPal account information or credit card information exposed?

We do not store PayPal account information or credit card information on our site and have uncovered no evidence that credit card numbers may have been intercepted. We will notify you if we learn in the course of completing our investigation that other types of information may have been compromised.

How did the access happen?

Unauthorized access was made via third-party software installed on the Mollom.com server infrastructure, and was not the result of a vulnerability within Drupal. We are still investigating and will share more detail when it is appropriate.

Was the integrity of Mollom.com’s content quality evaluation system affected by this unauthorized access? Did any spam / malicious content get through?

No, this breach has not affected the content quality evaluation system and the core Mollom.com services continue uninterrupted except for some short necessary downtimes for security upgrades.

Do I need to change my password? How do I change my password?

All Mollom passwords have already been reset. You need to set up a new password using this URL:
http://mollom.com/user/password - Please do not use your old password.

Do I need to do anything regarding my Mollom public and private keys?

No, you can continue to use your current Mollom public and private keys while we continue to investigate. The core Mollom.com services will continue uninterrupted. The Mollom team will contact you in the future if there is a need to update your keys.

What has been done to prevent this type of unauthorized access in the future?

There have been several infrastructure and application changes including:

  • The Mollom.com team has rebuilt the affected core Mollom.com server and has disabled the third-party application that led to to the unauthorized access
  • An external automated security audit was performed
  • An external security firm was engaged to perform a detailed audit of the Mollom.com infrastructure
  • We have reset all Mollom.com user account passwords and increased the strength of the password encryption system

Do you have any information about the identity of the person or group who did this?

At this point there is no information to share.

What is the Mollom.com team doing to investigate the unauthorized access?

We have a forensics team made up of Mollom staff and outside security experts investigating.

What else can I do to protect myself?

First, we recommend as a precaution that you change or reset passwords on other sites where you may use similar passwords to your old Mollom password, even though all passwords on Mollom.com are hashed. To make your password more secure:

  • Do not use passwords that are simple words or phrases
  • Never use the same password on multiple sites or services
  • Use different types of characters in your password (uppercase letters, lowercase letters, numbers, and symbols).

Second, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by e-mail. Also, beware of e-mails that threaten to close your account if you do not take the "immediate action" of providing personal information.

Although we do not store credit card information, as a precaution we recommend that you closely monitor your financial accounts if you use a password with your financial institution that is similar to your Mollom.com password. If you see unauthorized activity, you should immediately contact the financial institution. You may obtain additional information about responding to identity theft from the Federal Trade Commission ("FTC") by calling 1-877-ID-THEFT (1-877-438-4338) or on the web at: http://www.consumer.ftc.gov/features/feature-0014-identity-theft

Based on the results of the investigation into this incident, we may update the FAQs and may recommend additional measures for protecting your personal information.

How will I be informed of future updates?

As information becomes available, we will post that information on http://mollom.com/blog/security-notice-august-2013

Mollom Reloaded for WordPress

There is a brand-new Mollom plugin for WordPress to protect your blog from comment spam and unwanted posts.

Mollom is available for free for personal blogs and small company websites; paid plans offering more features and higher post volumes are available, too.

The new WordPress plugin ships with complete support for our Content Moderation Platform — enabling you to moderate all of your WordPress (and other) sites from a single, unified interface.

Your moderation team is now able to moderate user-contributed content on e.g. your 14 WordPress blogs and 3 Drupal sites - without having to visit each site separately. Of course, you can connect and integrate websites on other platforms, too.

As the successor of the WP-Mollom plugin, it integrates with our most recent REST API, bringing the latest and greatest features of Mollom to your WordPress blog. Following the Mollom module for Drupal, the new WordPress plugin also leverages the Mollom PHP library - which allows both platforms to benefit from improvements in the future. Upgrading is as easy as to uninstall the old and installing the new Mollom plugin.

The new plugin has been authored by Matthias Vandermaesen (netsensei) with help from Daniel F. Kudwien (sun) - they both share more detailed insights about the new WordPress plugin on their personal blogs.

We’ve reviewed and successfully tested the new plugin on various sites and can confirm that it works excellently. — Well done!

Did you try it already? Are you missing features or enhancements?

Let us know what you think!