Monday, 7 August 2006
RSS and Web Feeds a Risky Business |
| |
|
| |
The 'Blackhat Security Conference' has released the risks associated with web-based feeds such as Really Simple Syndication (RSS) and Atom. Attackers could insert malicious JavaScript in content that is transferred to subscribers of data feeds that use the popular RSS or Atom formats, Bob Auger, a security engineer with web security company SPI Dynamics said in a presentation at the Black Hat security event.
Auger said that all kinds of information feeds are subject to risk as they can be used to transmit malicious content to a subscriber. SPI Dynamics examined a number of online and offline applications used to read RSS and Atom feeds. In many cases any JavaScript code delivered on the feed would run on the user's PC, meaning it could be vulnerable to attack, Auger said. JavaScript is a scripting language that experts say is increasingly causing security concerns
"A lot of blogs will take user comments and stick them into their own RSS feeds," he said. Attackers can also send malicious code to mailing lists that offer RSS or Atom feeds and direct vulnerable systems that way, Auger said. According to certain sources, comments are the most likely vector of attack. The real problem is with any feed parser that naively trusts the HTML.
Many of the feed reading applications are faulted because the designers failed to add valuable security checks, Auger said. In particular, the applications should not allow JavaScript that is included in feeds to run. Instead, it should be filtered out, he said.
As protection, users could switch to a non-vulnerable reader. Also, feed publishers could ensure their feeds don't include any malicious JavaScript or any script at all, Auger said. Some services, however, rely on JavaScript to deliver ads in feeds, he noted.
|
| |
|
|
| |
|
|
| |
|
|
| |
|
