Robert Auger and Caleb Sima of security firm SPI Dymanics gave a 50-minute security briefing on RSS and Atom feed vulnerabilities at yesterday’s Black Hat conference in Las Vegas. Their talk, Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems, detailed how many blogging systems and feed aggregators do not block against malicious code insertion by third parties and often run at elevated permission levels on a user’s machine, exposing an entire operating system to a potential scripting attack. I wasn’t there, but News.com summarizes some of the topics covered in the talk.
An author might lose control of his or her blog, but some blogging systems such as WordPress generate comment feeds for every post. If the blogging system does not properly sanitize the third-party comment problems could pop up not only in the rendered web page but also in the corresponding feed rendered inside of an aggregator.
Sidenote: a trusted blog today could become someone else’s blog tomorrow. It’s a good idea for aggregators to listen for a 410 Gone response and unsubscribe from the feed since the domain or hosted account can be reused by someone else in three months or less.