RSS and Web Feeds a Risk?

A followup whitepaper [PDF] to a recent talk at the blackhat security conference has been released outlining the risks associated with web based feeds such as RSS and Atom. From the article: "Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said."

Huh?

[Umbral+Blot]

Seems more like a problem with allowing javascript in comments (a really dumb idea) than a problem with RSS.

Old technique, new medium

[fosterNutrition]

Not to be the jerk here, but it really shouldn't be that big of a news story that some people discussed the idea that it might not be the best security practice to allow unvalidated user input.

Nobody would think of performing no kind of checking on things submitted into a plain old text box, so why would it be safe just because it's now in the "synergetic web 2.0 blogosphere of community-driven empowerment through technology"

Oh well, still a moderately interesting article...

So..

[Tracer_Bullet82]

If I trust someone and let them have free access to my house, there's a chance one day they'll swipe every thing from it and load into a truck..

just because something is some kind of "new" technology does not mean any different..

use common sense and intelligence.

They saw it coming!

[bruno.fatia]

If I can remote execute code, I can remote execute malicious code. Nothing new please move along

Validation is the only problem

[DivineOmega]

The technology behind web feeds such as RSS and Atom (if you can call an XML file a 'technology') is perfectly safe, it is merely the content of the feed itself which can cause problems.

No one can stop a malicious user from setting up their own feed containing dangerous feeds. However, for existing blogs and weblogs, the validation methods to prevent the input of code and script into comment fields has been around and known about for several years.

Simple rule for input

[fractalVisionz]

Never let input go unchecked. If you do, you are already screwed.

You're missing the point - it's about the "reader"

[hutchike]

It doesn't matter whether we're looking at published blog entries or comments, anything that is fed via RSS or Atom can move JavaScript (for good or bad) - and what the article makes clear is that the problem lies in the news reader programs themselves. They simply don't apply the same level of security you might expect from Mozilla (Firefox), Safari, Opera, Internet Explorer, etc...

The bottom line here is that RSS/Atom reader programs need to apply similar security checks to those performed by popular secure web browsers.

RTFA ;-)

Oh God

[The+MAZZTer]

I can write virii in C++! It's a C++ vulnerability!

Seriously, this is dumb. It is not a problem with RSS/Atom, it is a problem with RSS/Atom viewers that allow JavaScript code to be executed!

Within the context of a web-based viewer this could be a problem, but then again it's no more of a problem than if you go to a questionable site with bad JavaScript. For a browser-based viewer it's simply a matter of the devs remembering to turn off JavaScript support for RSS/Atom feeds.

And in desktop-based viewers... I mean really, who would be stupid enough to even consider implementing JavaScript in one. And if it only does because the programmer took the lazy route and is using a WebControl in the background, well they might want to consider a different method that will actually give them some measure of CONTROL.

Speaking of poorly coded, I wonder if we'll see IE exploits arising from embedded ActiveX controls in RSS feeds, those would cause far more damage than while (1) { window.print(); window.alert("LOL INTERNET"); }.