Robert Auger and Caleb Sima of security firm SPI Dymanics gave a 50-minute security briefing on RSS and Atom feed vulnerabilities at yesterday’s Black Hat conference in Las Vegas. Their talk, Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems, detailed how many blogging systems and feed aggregators do not block against malicious code insertion by third parties and often run at elevated permission levels on a user’s machine, exposing an entire operating system to a potential scripting attack. I wasn’t there, but News.com summarizes some of the topics covered in the talk.
Auger listed Bloglines, RSS Reader, RSS Owl, FeedDemon, and SharpReader as feed aggregators vulnerable to one or more of the attacks.
Malicious JavaScript code could be included in a feed item’s main content. It’s a good idea to strip out and sanitize this markup, or at least whitelist known and allowed sources of such code to prevent local code execution from alert boxes to much worse. Mark Pilgrim’s sample RSS 2.0 feed from Universal Feed Parser is one example.
An author might lose control of his or her blog, but some blogging systems such as WordPress generate comment feeds for every post. If the blogging system does not properly sanitize the third-party comment problems could pop up not only in the rendered web page but also in the corresponding feed rendered inside of an aggregator.
Sidenote: a trusted blog today could become someone else’s blog tomorrow. It’s a good idea for aggregators to listen for a 410 Gone response and unsubscribe from the feed since the domain or hosted account can be reused by someone else in three months or less.
The presentation also mentioned desktop aggregators binding to Internet Explorer and running at unnecessarily high security trust levels. This behavior gives downloaded JavaScript full access to your PC for extra nasties.
Update: A whitepaper on the exploits, including example feeds, is available from SPI Dynamics.
Sigh. Been saying this for years. Literally. I have permalinks to prove it. Nobody cares. We publicly disclosed a Bloglines bug that allowed you to construct a web page that autosubscribed a visitor to the feed of your choice. Then we publicly disclosed an entirely separate bug where you could construct a feed that did the same thing (autosubscribe the user to another feed) just by previewing it in Bloglines. Bloglines sat on them for over six months.
I spent an insane amount of time preventing this at Rojo.
Mark is right…. people don’t care (at least until a security researcher calls them on it). Even then they don’t really care because they forget about it 48 hours later.
I have some solutions to this but they require changes across all browsers. Which I don’t really have the time to spend pushing this on the browser vendors.
hm…. maybe a microformat for this…. stay tuned.
Nick Bradbury of FeedDemon has blogged about this:
Please see his blog post for the full details.
Jack Brewster
Technical Support
NewsGator Technologies