As a good Internet citizen, I dropped an email to Ning alerting them to the problem. I've since received back what appears to be a stock form email in response:
Thanks for bringing this to our attention. As you may already know, Ning is a platform that enables individuals to build their own social networks. We aren't involved in the decisions relating to content uploaded or published by Network Creators or members. In addition, we aren't involved in the management of the social networks on our platform, or in any of the decisions relating to the focus of social networks created on our platform. That said, we'll look into this and take action if we determine that our Terms of Service have been violated.
The Ning Team
I've checked, and the problem still exists. Google is delisting the virus redirectors pretty quickly, but they're being added even more quickly. Right now, Google shows about 600,000 virus redirectors on various Ning-hosted sites, with many more existing but not listed in Google.
It seems that Ning either does not understand or does not care about the scope of the problem they face.
In a way, I'm not surprised. iPower Web took over a year to fix their security when they were hit with a massive, ongoing server security breach, for example.
But it is disappointing. An executive at Verizon recently wrote an essay deriding security researchers who talk about security issues publicly as "narcissistic vulnerability pimps" who "solely for the purpose of self-glorification and self-gratification - harms business and society by irresponsibly disclosing information that makes things less secure."
But considering how poorly ISPs and software vendors tend to respond to security problems, and how cavalier they seem to be with the safeguarding of their users' data, it's hard to see this essay as anything more than the whining of a crybaby managers who would rather play Quake III Arena than take care of fixing gaping security holes in their systems.
Meantime, I still suggest that anyone hosted on Ning seek hosting elsewhere.