Waxy.org
Waxy.org is the sandbox of Andy Baio, an independent journalist and programmer living in Portland, Oregon. I created Upcoming.org and some other stuff too.

Contact Me: log@waxy.org or waxpancake on AIM

Evil RSS Feeds

Posted Feb 28, 2003

Some RSS readers are vulnerable to security exploits and other annoyances embedded in RSS/XML feeds. This morning, Phil showed me a proof-of-concept sample for Newsgator, the Outlook-based RSS reader, triggered by VBScript code in an RSS feed that e-mails a random person in your Outlook address book.

Other readers may not be vulnerable to Outlook-style hacks, but they can still be screwed up by Javascript. Try subscribing to this RSS feed I created with your reader of choice. Syndirella displays the popup window and crashes on the Javascript alerts. How about other readers?

Just to be clear, I'm not saying this is a serious issue. Users only subscribe to trusted RSS feeds, and feed providers are extremely unlikely to put malicious code in their feeds. It's just interesting that it works.

9 Comments (Add Yours)

Feb 28, 2003
1:53 PM  
ksmith wrote:

I subscribed to the test feed via NetNewsWire, and was able to read all the entries with no apparent effects.


Feb 28, 2003
3:39 PM  
Greg Reinacker wrote:

I have posted comments related to NewsGator and this issue at http://www.newsgator.com/news/archive.aspx?post=3.


Feb 28, 2003
3:47 PM  
Kevin Burton wrote:

I noted this over on RSS-DEV and even made an amendment to the RSS 1.0 spec describing the problem.

The RSS-DEV team made a (bad) decision that it wasn't important enough to include in the spec.


Feb 28, 2003
3:53 PM  
Andy wrote:

What was the change that you proposed?


Feb 28, 2003
6:17 PM  
paul victor novarese wrote:

Radio Userland 8.0.8/XP reads it fine.


Feb 28, 2003
6:18 PM  
paul victor novarese wrote:

No pop-ups, btw.


Mar 3, 2003
11:50 AM  
Mark wrote:

As Kevin said, this problem has been known for some time. The RSS validator will even warn if a feed containing potentially harmful HTML elements. (Please, no followups saying the validator should separately report warnings and errors. It's coming eventually.)

http://feeds.archive.org/validator/check?url=http%3A%2F%2Fwww.waxy.org%2Frandom%2Ftext%2Fevil_rss.rdf

http://feeds.archive.org/validator/docs/warning/ContainsScript


Mar 3, 2003
11:57 AM  
Mark wrote:

Another, more subtle issue is the one of security zones. Browsers like Internet Explorer carve up the world into zones, and allow you to assign different security policies to each. But browser-based aggregators like Radio and Amphetadesk subvert this by pulling in remote content and republishing it in the local zone. So even if you've disabled active scripting for remote web sites, chances are your local 127.0.0.1:8888 or :5335 address is in the local (trusted) zone and has scripting enabled.

I wouldn't necessarily classify this as a bug; the programs are functioning as designed, but the design has (possibly unintended) consequences, that's all.


Mar 12, 2003
5:12 AM  
Dmitry Jemerov wrote:

The latest build of Syndirella, 20030311, filters JavaScript from RSS description elements, so it should not be vulnerable to the simpler exploits.


 

Leave a comment





Waxy Links
Ads via The Deck
November 18, 2008
Bike Hero, biking a Guitar Hero level in the real world — most likely a commercial viral, and maybe even fake, but does it matter? beyond awesome
Chuck Klosterman reviews Chinese Democracy — mostly posting this just to beat Rex to it
The A.V. Club's 27 popular websites that became books — though they missed Belle de Jour, The Washingtonienne, Fucked Company, Fark, and ZUG
Speed Guitar goes to the Los Angeles County Museum of Art — every hour, on the hour, for one solid minute of metal complete with gothic arch and smoke machine
MGMT's "Kids" on the iPhone Ocarina — "the iPhone Ocarina officially replaces the recorder as the nerdiest instrument I can play"
Mena Trott responds to Valleywag article about their Disneyland vacation — my favorite was Space Mountain Snob
LIFE Magazine photo archive hosted by Google — millions of high-res photos, most never published
Amazon launches CloudFront, their pay-as-you-go CDN — very complementary with S3
November 17, 2008
John Hodgman, Jonathan Coulton, and the Long Winters perform "Tonight You Belong to Me" — "Thank you, normal-sized man."
Jerry Yang stepping down from Yahoo's CEO post — it never really fit him well, though I'll miss his e.e. cummings memos
Woman asks Apple community about an unusual iPhone glitch — no, raunchy photos don't accidentally attach themselves to outbound email
Greasemonkey script to pull WikiDashboard visualization into Wikipedia — I made a LazyWeb plea for this last week, and Paul Irish came through
Lee Byron's Fireflies, anaglyph 3D game for Mac — part of Kokoromi's Gamma 3D showcase of anaglyph games
Flickr Boundaries, tool to explore Flickr's shapefiles — read Tom Taylor's entry for more information
Cooking Mama, the Unauthorized PETA Edition — a strangely obscure target for their attention, with a petition to write to the game's publisher (via)
Boing Boing launches gaming blog, Offworld — good writing in a nice design from Brandon Boyer, former news editor of Gamasutra
"Violet" wins the Interactive Fiction Comp 2008 — play it online; glancing at the charts, it looks like Buried in Shoes was the most divisive
Trailer for J.J. Abrams' Star Trek prequel — looks surprisingly good, but I'm a sucker for origin stories; I even liked Enterprise
What would Depression 2009 look like? — Tim sums up the thought-provoking Boston Globe article
The Pirate Bay hits 25 million simultaneous peers — that's not unique people, but concurrent connections; Napster peaked at 26M users
Peter Hirschberg releases Adventure as a free iPhone app — related: Chasing Ghosts will finally be released on BitTorrent Showtime in December (via)
The Big Picture on the California wildfires — also: first-person coverage on Twitter and YouTube, like this freeway on fire and aftermath
Tim-Tams available at Target until March, first time available in the U.S. — best chocolate cookies ever, the Tim Tam Slam is a chocolaty revelation (via)
JS-909, a Javascript drum machine without Flash — through a hack, it even works in IE 6
November 14, 2008
Esquire's hosting Between, the new two-player networked game by Jason Rohrer — from the creator of Passage
"What's that buzzing noise from my BBQ?" — he thought he was killing a few bees, but ends up annihilating an entire colony (via)
November 13, 2008
Kottke explains how to embed high-quality YouTube videos — I knew how to save, link, and change the default, but the embedding hack was new to me
Web 2.0 Origami — lazyweb, please build a converter that creates folding patterns from an uploaded image
Pixar's Burn-E short on YouTube — here's an interview with the director
Valleywag folded into Gawker, all but Owen Thomas laid off — I won't miss it; they hurt a lot of good people and interesting projects in the quest for pageviews (via)

Andy Baio lives here. Some rights reserved, for your pleasure.