RSS Feeds at Risk From Attackers?

Likely thought by many to be harmless, security researchers are now warning that RSS feeds can be used to launch attacks against unprotected computers. Hackers could insert malicious JavaScript in the feeds, which in turn would be delivered to the user.

The comments were made during a presentation at the Black Hat convention in Las Vegas, a yearly meeting of both hackers and security researchers. SPI Dynamics Security Engineer Robert Auger said that the issue could potentially affect any such information feed.

Auger's company said any type of RSS reader was susceptible to attacks, whether it be software or web-based. Information at risk could include potentially sensitive information, including passwords and personal data.

Especially disconcerting is the fact that attacks could be launched from trusted sites. Some blogs now include comments to Web posts within the feed, and all an attacker would have to do is include the JavaScript code within that comment for it to be distributed.

While attackers could launch their own blogs and feeds to distribute the harmful code, Auger believes that the previously mentioned scenario is likely to be the most commonly used method.

But who is to blame for the security risk? It appears to be the creators of the RSS applications themselves, who have failed to include proper security checks within the programs.

Of the Web-based readers, Bloglines was mentioned as vulnerable to attack. Of the software readers, Auger mentioned RSS Reader, RSS Owl, Feed Demon, and Sharp Reader. It should be mentioned this list of vulnerable readers is by no means complete; Auger was still contacting vendors about the problem at the time of his presentation.

To protect computers, Auger has advised that users go into their options and disable scripts, applets, and plug-ins from being launched within feeds. "Wherever you get data from you can't assume that data is good," he told the audience.