Internet marketing resources, ecommerce web site design tutorials and  just for fun - free cell phone ringtones!
  Taming the Beast - quality web marketing and ecommerce development services

RSS feeds a security risk for users

Posted by Michael Bloch in web development (Sunday August 6, 2006 )

At the recent Black Hat convention in Las Vegas, the specter of RSS feeds being used for launching attacks on feed subscribers, and consequently affecting even non-subscribers has loomed.

The alert came from Robert Auger, co-founder of SPI Dynamics; an Atlanta, Georgia based security firm. According to Mr. Auger, the risk goes beyond RSS subscribers as feeds also appear in search engine results.

One of the threats he mentioned is malicious javascript code could find its way into a feed, most likely through blog/article comments from users. The results of Mr. Auger’s testing shows that many popular feed readers, both offline and online, do not strip out javascript code. This malicious code could then be executed on the users’ system.

I’d never really considered this; so as an experiment, I tried adding a few comments with some non-malicious javascript to one of my posts. Some javascript snippets worked, others didn’t – but the fact that a couple worked is rather frightening. As a result, I’m investigating ways to strip javascript from comment submissions; although I do review all comments carefully before allowing any to appear in this blog. Like most bloggers, I see a stack of spam comments each day; but I’ve never seen anyone try to post any malicious javascript – yet.

Issues such as this are all the more reason to not allow for automatic comment approval in my opinion. while we can’t do much about the security levels of feed reading applications ourselves, as publishers we can all play a part in ensuring that malicious code isn’t presented to the user in the first place.

With RSS feeds finally gaining real awareness and popularity as valuable communications and marketing tools, the last thing we all need is a major setback sparked by consumers panicking about infected feeds littering the web.

Malicious code in comments is only one of the security risks that feeds and feed readers present, you can read more about this and other issues in the SPI Dynamics whitepaper “Feed Injection in Web 2.0 – Hacking RSS and Atom Feed Implementations” (pdf)

Related articles:

RSS feeds – subscribing, creating and submitting a web feed


Comments for RSS feeds a security risk for users

No comments yet.

Sorry, the comment form is closed at this time.