Print this article | E-mail this article | Comment on this article

RSS Feeds at Risk From Attackers?

By Ed Oswald, BetaNews

August 4, 2006, 2:05 PM

Likely thought by many to be harmless, security researchers are now warning that RSS feeds can be used to launch attacks against unprotected computers. Hackers could insert malicious JavaScript in the feeds, which in turn would be delivered to the user.

The comments were made during a presentation at the Black Hat convention in Las Vegas, a yearly meeting of both hackers and security researchers. SPI Dynamics Security Engineer Robert Auger said that the issue could potentially affect any such information feed.

Auger's company said any type of RSS reader was susceptible to attacks, whether it be software or web-based. Information at risk could include potentially sensitive information, including passwords and personal data.

Especially disconcerting is the fact that attacks could be launched from trusted sites. Some blogs now include comments to Web posts within the feed, and all an attacker would have to do is include the JavaScript code within that comment for it to be distributed.

While attackers could launch their own blogs and feeds to distribute the harmful code, Auger believes that the previously mentioned scenario is likely to be the most commonly used method.

But who is to blame for the security risk? It appears to be the creators of the RSS applications themselves, who have failed to include proper security checks within the programs.

Of the Web-based readers, Bloglines was mentioned as vulnerable to attack. Of the software readers, Auger mentioned RSS Reader, RSS Owl, Feed Demon, and Sharp Reader. It should be mentioned this list of vulnerable readers is by no means complete; Auger was still contacting vendors about the problem at the time of his presentation.

To protect computers, Auger has advised that users go into their options and disable scripts, applets, and plug-ins from being launched within feeds. "Wherever you get data from you can't assume that data is good," he told the audience.

Add a Comment (12 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By |)4v3

posted Nov 22, 2006 - 3:37 PM

I found a nice anti phishing plug in,that works with Firefox 2. I don't know if it will work in I.E7. but it can be found at
http://www.phishtank.com

Score: 0

By naman91

edited Aug 6, 2006 - 7:11 PM

Here's something I learnt ages ago--- NOTHING IS SAFE.
"But who is to blame for the security risk? It appears to be the creators of the RSS applications themselves, who have failed to include proper security checks within the programs." Okay, so you blame everybody except yourself.

Computer's are vulnerable to attacks, let's blame Charles Babbage for inventing the computer. Windows has security holes. Let's blame Microsoft for giving us a more useful interface. Yahoo has the highest no. of bot users that spam. Let's shut Yahoo down. Blaming anyone can't help you, Auger. Instead of friggin' blaming, do the world some good and either create security patches for RSS readers or shoot yourself.

Score: 0

By Gerry_was_taken

edited Aug 6, 2006 - 2:04 AM

> Likely thought by many to be harmless

By who? Every professional coder on this planet knows that you don't trust data from outside sources. Do you really think people aren't validating RSS feeds that they are integrating into their site?

If Robert Auger received money from you and others for this "revelation" then he just pulled off a hilarious con.

However next time get a coder to look over the story and laugh in your face before you publish time wasting dribble.

It's like this, you don't leave a gun out on a table in a public area. He has taken the attitude that this is because a child could pick it up and shoot somebody, but now he alerting you to the "hidden danger" that adults too can pick up that gun and shoot people with it. Well thanks Einstein!

Score: 0

By |)4v3

edited Aug 5, 2006 - 5:48 PM

try sage in firefox

Score: 0

By Desides

posted Aug 4, 2006 - 11:31 PM

Somehow I doubt Firefox's Live Bookmarks are vulnerable.

Score: 0

By JacenSolo

edited Aug 5, 2006 - 8:54 AM

Something I've leant over the past couple of years... nothing is invulnerable.

and Firefox's RSS reading tech would bhe similar to Opera or IEs, would it not? I mean, how many diff types of RSS is there?

"But who is to blame for the security risk? It appears to be the creators of the RSS applications themselves, who have failed to include proper security checks within the programs."

Wouldn't RSS exclude Javascript anyway?

Score: 0

By gawd21

posted Aug 4, 2006 - 8:22 PM

Hmmmmmmmm! How many of you said I was retarded or stupid for telling you that this was 100% going to happen??????? PC_Tools you were the first one.

Score: 0

By PC_Tool

edited Aug 6, 2006 - 12:29 AM

Well, if it isn't for one thing, I'm sure it's another. ;)

(And if yer gonna attribute something to me, at least link to it)

Score: 0

By gawd21

posted Aug 6, 2006 - 2:20 PM

I don't really feel like digging in the trash to find a little note.

Score: 0

By PC_Tool

edited Aug 7, 2006 - 9:17 AM

I have yet to write you a note.

Unless you're name is Eric... In which case, what the hell are you still doing here? It was pink..and it said, "You're Fired." ;)