Black Hat presentation exposes RSS and Atom risks in the wild

Robert Auger and Caleb Sima of security firm SPI Dymanics gave a 50-minute security briefing on RSS and Atom feed vulnerabilities at yesterday's Black Hat conference in Las Vegas. Their talk, Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems, detailed how many blogging systems and feed aggregators do not block against malicious code insertion by third parties and often run at elevated permission levels on a user's machine, exposing an entire operating system to a potential scripting attack. I wasn't there, but News.com summarizes some of the topics covered in the talk.

Auger listed Bloglines, RSS Reader, RSS Owl, FeedDemon, and SharpReader as feed aggregators vulnerable to one or more of the attacks.

Malicious JavaScript code could be included in a feed item's main content. It's a good idea to strip out and sanitize this markup, or at least whitelist known and allowed sources of such code to prevent local code execution from alert boxes to much worse. Mark Pilgrim's sample RSS 2.0 feed from Universal Feed Parser is one example.

An author might lose control of his or her blog, but some blogging systems such as WordPress generate comment feeds for every post. If the blogging system does not properly sanitize the third-party comment problems could pop up not only in the rendered web page but also in the corresponding feed rendered inside of an aggregator.

Sidenote: a trusted blog today could become someone else's blog tomorrow. It's a good idea for aggregators to listen for a 410 Gone response and unsubscribe from the feed since the domain or hosted account can be reused by someone else in three months or less.

The presentation also mentioned desktop aggregators binding to Internet Explorer and running at unnecessarily high security trust levels. This behavior gives downloaded JavaScript full access to your PC for extra nasties.

Update: A whitepaper on the exploits, including example feeds, is available from SPI Dynamics.