Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSS and Web Feeds a Risk?

Posted by ryuzaki0 on from the risk-around-every-cyber-corner dept.

A followup whitepaper [PDF] to a recent talk at the blackhat security conference has been released outlining the risks associated with web based feeds such as RSS and Atom. From the article: "Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said."

17 of 94 comments (clear)

  1. Huh? by Umbral+Blot · · Score: 5, Insightful

    Seems more like a problem with allowing javascript in comments (a really dumb idea) than a problem with RSS.

    --

    Philosophy.
    1. Re:Huh? by Anonymous Coward · · Score: 1, Insightful

      Thread over. :)

    2. Re:Huh? by StormReaver · · Score: 2, Insightful

      "Seems more like a problem with allowing javascript...."

      You could have stopped here, and have been even more correct.

    3. Re:Huh? by Richy_T · · Score: 2, Insightful

      An RSS feed does not include HTML. The issue is therefore that any reader that interprets the feed directly should not process any HTML tags (and hence not interpret Javascript) and any agregator that takes a feed and inserts it into an HTML page should escape all HTML special characters.

      That is not to say that the feed can not contain HTML characters, a deiscription "Microsoft says the <a> tag to be depreciated in Vista" is fully valid but should be treated as plain text, *not* html.

      Sites which take formatting from their headlines and/or descriptions and include them in the RSS feed *are* broken but the real security bug lies where the text within is not treated as plain text by whatever reads the feed.

      Rich

  2. Old technique, new medium by fosterNutrition · · Score: 5, Insightful

    Not to be the jerk here, but it really shouldn't be that big of a news story that some people discussed the idea that it might not be the best security practice to allow unvalidated user input.

    Nobody would think of performing no kind of checking on things submitted into a plain old text box, so why would it be safe just because it's now in the "synergetic web 2.0 blogosphere of community-driven empowerment through technology"

    Oh well, still a moderately interesting article...

  3. So.. by Tracer_Bullet82 · · Score: 5, Insightful

    If I trust someone and let them have free access to my house, there's a chance one day they'll swipe every thing from it and load into a truck..

    just because something is some kind of "new" technology does not mean any different..

    use common sense and intelligence.

    --


    Timang tinggi tinggi
    parang sudah asah
    alang alang mandi
    biar sampai basah
    1. Re:So.. by Zelbinian · · Score: 2, Insightful

      Someone wiser than I once said "Common sense is not that common."

      --
      Putting the 33k in G33k.
  4. What sensible feed aggregator allows javascript? by jZnat · · Score: 2, Insightful

    That's like allowing javascript in HTML email. Any sensible aggregator (and mail cient) disables all javascript by default.

    Someone please reassure me that Vista's aggregator does so as well. In fact, can anyone even refer to an aggregator that parses and enables javascript? I can't begin to think of where to find one.

    --
    'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
  5. They saw it coming! by bruno.fatia · · Score: 3, Insightful

    If I can remote execute code, I can remote execute malicious code. Nothing new please move along

  6. Validation is the only problem by DivineOmega · · Score: 3, Insightful

    The technology behind web feeds such as RSS and Atom (if you can call an XML file a 'technology') is perfectly safe, it is merely the content of the feed itself which can cause problems.

    No one can stop a malicious user from setting up their own feed containing dangerous feeds. However, for existing blogs and weblogs, the validation methods to prevent the input of code and script into comment fields has been around and known about for several years.

  7. Re:What sensible feed aggregator allows javascript by nwbvt · · Score: 2, Insightful

    From the article:

    SPI Dynamics examined a number of online and offline applications used to read RSS and Atom feeds. In many cases any JavaScript code delivered on the feed would run on the user's PC, meaning it could be vulnerable to attack, Auger said.

    They don't name names, but it does seem like a number of aggregators do support JavaScript. And when the day comes where someone develops a "Web 2.0 AJAX enabled blog", there will be pressure for more and more aggregators to support JavaScript (likely it will be an option that can be disabled, but who is going to do that if it means they cannot access certain features on certain blogs).

    This is just one more reason I hate Javascript.

    --
    Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
  8. Simple rule for input by fractalVisionz · · Score: 4, Insightful

    Never let input go unchecked. If you do, you are already screwed.

  9. You're missing the point - it's about the "reader" by hutchike · · Score: 3, Insightful

    It doesn't matter whether we're looking at published blog entries or comments, anything that is fed via RSS or Atom can move JavaScript (for good or bad) - and what the article makes clear is that the problem lies in the news reader programs themselves. They simply don't apply the same level of security you might expect from Mozilla (Firefox), Safari, Opera, Internet Explorer, etc...

    The bottom line here is that RSS/Atom reader programs need to apply similar security checks to those performed by popular secure web browsers.

    RTFA ;-)

    --
    Zen tips: Pay attention. Don't take it personally. Believe nothing.
  10. Oh God by The+MAZZTer · · Score: 4, Insightful

    I can write virii in C++! It's a C++ vulnerability!

    Seriously, this is dumb. It is not a problem with RSS/Atom, it is a problem with RSS/Atom viewers that allow JavaScript code to be executed!

    Within the context of a web-based viewer this could be a problem, but then again it's no more of a problem than if you go to a questionable site with bad JavaScript. For a browser-based viewer it's simply a matter of the devs remembering to turn off JavaScript support for RSS/Atom feeds.

    And in desktop-based viewers... I mean really, who would be stupid enough to even consider implementing JavaScript in one. And if it only does because the programmer took the lazy route and is using a WebControl in the background, well they might want to consider a different method that will actually give them some measure of CONTROL.

    Speaking of poorly coded, I wonder if we'll see IE exploits arising from embedded ActiveX controls in RSS feeds, those would cause far more damage than while (1) { window.print(); window.alert("LOL INTERNET"); }.

  11. Re:Except that it CAN be virii by xenoandroid · · Score: 2, Insightful

    "No reputable printed dictionary includes them as correct forms. "

    VIRII is NOT a word.

  12. Re:Except that it CAN be virii by Anonymous Coward · · Score: 1, Insightful

    You do realise that Wikipedia isn't an authorative source, don't you? And even if you trust Wikipedia as a source, if you read further:

    In the English language, the standard plural of virus is viruses. This is the most frequently occurring form of the plural, and refers to both a biological virus and a computer virus.

    The less frequent variations viri and virii are virtually unknown in edited prose, and no major dictionary recognizes them as alternative forms.

  13. Just encode it, that's what I do by chudik · · Score: 2, Insightful

    This is the case where I subscribe to the school of thought that the RSS description element should have no markup. The original purpose of RSS was not to distribute whole articles but only describe them and provide a link.