RSS, Atom feeds ripe for attack

By Bill Brenner, Senior News Writer 07 Aug 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Robert Auger, a security engineer for Atlanta-based SPI Dynamics Inc., explained that if a Web site offering RSS and Atom feeds becomes infected with malicious code, not only can its feeds spread the attack, but also attackers can create their own malicious feeds that seem legitimate.

Therefore, he said, subscribers must assume all feed data is malicious -- even data from trusted feeds to which an end-user may already subscribe -- and take the necessary security precautions.

Black Hat USA 2006 Check out SearchSecurity.com's special coverage of Black Hat USA 2006 as reporters from SearchSecurity.com and Information Security magazine post the latest news and tidbits from Las Vegas.

"You only have to hack a couple of sites' [feeds] and you can hurt a lot of users," Auger said.

Expanding on his presentation description on the Black Hat Web site, Auger said many RSS clients fail to properly vet the data they receive, failing to guard against malicious and malformed content.

Auger said that as a test he created several feeds and injected JavaScript into some, then observed the effects. He found it's possible to conduct a number of malicious activities, including log keystrokes, steal cookies and launch cross-site scripting attacks.

He noted that many RSS feeds are automatically generated from content originating in third-party feeds, search engine results and other areas, which means feed subscribers can be victimized even if they don't actually subscribe to a feed that's been specifically tainted.

Auger said that as more people use feeds to view news summaries, watch movies, read blogs and download music files, the bad guys have a growing playground from which to launch bots and worms.

An increasing number of electronic publishers have begun offering RSS and Atom feeds as the technology's popularity has grown. The PEW Internet & American Life Project has estimated that as much as 9% of the U.S. Internet population uses feeds, while New York-based JupiterResearch has said that number could be as high as 12%.

In conducting its research, SPI Dynamics found Bloglines, RSS Reader, RSS Owl, FeedDemon and SharpReader to be among those vulnerable to attack. Auger noted Bloglines fixed its vulnerability immediately after they were made aware of it.

Auger said he plans to conduct further research into how the feed threat affects P2P applications, podcast clients and DVRs like TiVo. For now, he said, users should be careful when subscribing to RSS and Atom feeds.

"When you get data, you can't assume it's good," Auger said. When choosing to subscribe to a feed, "you have to consider its potential impact and where the data is coming from."

Tags: Web Services Security and SOA Security,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Services Security and SOA Security Cryptographers say cloud computing can be secured Information security book excerpts and reviews Will cloud computing and virtualization save the day? MySpace, Facebook ignoring basic principles of security Kaminsky: DNS flaw capable of attacks on many fronts Kaminsky on DNS rebinding attacks, hacking techniques Which operating system can best secure an FTP site? IBM's Watchfire halts network research, focuses on Web apps How does identity propagation work? Citrix adds Web security with acquisition Emerging Information Security Threats New attack code targets Microsoft ActiveX zero-day vulnerability Adobe ColdFusion websites being compromised Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary