Waxy.org
Waxy.org is the sandbox of Andy Baio, a journalist/programmer living in Portland, Oregon. I'm the CTO of Kickstarter, created Upcoming.org, and some other stuff too.

Contact Me: log@waxy.org or waxpancake on AIM

Evil RSS Feeds

Posted Feb 28, 2003

Some RSS readers are vulnerable to security exploits and other annoyances embedded in RSS/XML feeds. This morning, Phil showed me a proof-of-concept sample for Newsgator, the Outlook-based RSS reader, triggered by VBScript code in an RSS feed that e-mails a random person in your Outlook address book.

Other readers may not be vulnerable to Outlook-style hacks, but they can still be screwed up by Javascript. Try subscribing to this RSS feed I created with your reader of choice. Syndirella displays the popup window and crashes on the Javascript alerts. How about other readers?

Just to be clear, I'm not saying this is a serious issue. Users only subscribe to trusted RSS feeds, and feed providers are extremely unlikely to put malicious code in their feeds. It's just interesting that it works.

9 Comments (Add Yours)

Feb 28, 2003
1:53 PM  
ksmith wrote:

I subscribed to the test feed via NetNewsWire, and was able to read all the entries with no apparent effects.


Feb 28, 2003
3:39 PM  
Greg Reinacker wrote:

I have posted comments related to NewsGator and this issue at http://www.newsgator.com/news/archive.aspx?post=3.


Feb 28, 2003
3:47 PM  
Kevin Burton wrote:

I noted this over on RSS-DEV and even made an amendment to the RSS 1.0 spec describing the problem.

The RSS-DEV team made a (bad) decision that it wasn't important enough to include in the spec.


Feb 28, 2003
3:53 PM  
Andy wrote:

What was the change that you proposed?


Feb 28, 2003
6:17 PM  
paul victor novarese wrote:

Radio Userland 8.0.8/XP reads it fine.


Feb 28, 2003
6:18 PM  
paul victor novarese wrote:

No pop-ups, btw.


Mar 3, 2003
11:50 AM  
Mark wrote:

As Kevin said, this problem has been known for some time. The RSS validator will even warn if a feed containing potentially harmful HTML elements. (Please, no followups saying the validator should separately report warnings and errors. It's coming eventually.)

http://feeds.archive.org/validator/check?url=http%3A%2F%2Fwww.waxy.org%2Frandom%2Ftext%2Fevil_rss.rdf

http://feeds.archive.org/validator/docs/warning/ContainsScript


Mar 3, 2003
11:57 AM  
Mark wrote:

Another, more subtle issue is the one of security zones. Browsers like Internet Explorer carve up the world into zones, and allow you to assign different security policies to each. But browser-based aggregators like Radio and Amphetadesk subvert this by pulling in remote content and republishing it in the local zone. So even if you've disabled active scripting for remote web sites, chances are your local 127.0.0.1:8888 or :5335 address is in the local (trusted) zone and has scripting enabled.

I wouldn't necessarily classify this as a bug; the programs are functioning as designed, but the design has (possibly unintended) consequences, that's all.


Mar 12, 2003
5:12 AM  
Dmitry Jemerov wrote:

The latest build of Syndirella, 20030311, filters JavaScript from RSS description elements, so it should not be vulnerable to the simpler exploits.


 

Leave a comment





Waxy Links
Ads via The Deck
November 20, 2009
Regretsy gets a book deal — the anonymous author turned out to be April Winchell, collector of audio oddities
Google Chrome OS Demo — a world without a local filesystem and apps; also, the Chrome UI concept video (via)
Patrick Moberg's Internet Vices — funny, Tumblr feels more like beer than wine to me
Charlotte Gainsbourg and Beck's "Heaven Can Wait" — Keith Schofield's surreal video and insane treatment were inspired by FFFFOUND and Reddit, but maybe too explicitly (via)
November 19, 2009
YouTube adds machine-translated automatic captions — starting with some partner channels, but auto-timing is available to everyone today
Microsoft tries to patent Edward Tufte's sparklines — they were recently added to Excel
Leonard Lin's Retweet Avatars for Greasemonkey — a subtle change, but a big improvement
Web-ops god John Allspaw leaves Flickr to join Etsy — he's the last of the original Ludicorp team to go (via)
November 18, 2009
Laptop Steering Wheel Desk — don't miss the product photos
Interview with Ralph Eggleston, Pixar's production designer on WALL-E — from last February, but new to me; I didn't know the Axiom had three passenger classes
NSFW: Animated pixel-art video for Flair's "Trucker's Delight" — warning: very offensive and sexist, but the attention to 16-bit detail by director Jérémie Perin is incredible
NY Observer on Anil Dash's new government 2.0 incubator project — Expert Labs debuted at Web 2.0 today, funded with a $500k grant from the MacArthur Foundation
November 17, 2009
Google's Dan Morrill explains how the Droid autofocus breaks every 24.5 days — this gets second-place for quirkiest Android bug (via)
Conan O'Brien and Andy Richter on Zach Galifianakis' Between Two Ferns — his style of comedy usually makes me uncomfortable, but this made me laugh
The Pirate Bay shuts down their tracker for good — they're switching to DHT instead
November 16, 2009
How Darren at Link Machine Go found Belle de Jour's identity five years ago — Brooke was part of the early UK blog scene
ICU64, real-time visualization of Commodore 64 memory — the developer also posted videos of Paradroid and Boulder Dash (via)
Russell Davies on pretending and "barely games" — his SAP prototype looks like great ambient fun (via)
NYT Magazine on the indie gaming movement — nothing new here, but good overview with a wonderful closing anecdote from Cactus
Tim O'Reilly on the pending War for the Web — "more than that, it's a war against the web as an interoperable platform"
November 14, 2009
Jason Scott rounds up Geocities' top 10 most popular MIDI files — along with a torrent with 51,000 MIDIs rescued by Archive Team
Matt Haughey on the discovery of his brain tumor, treatment, and the Internet's response — there were about 1,000 #mathowielove tweets in 24 hours
Belle de Jour reveals herself after six year of anonymity — only six people in the world knew, she only told her parents yesterday (via)
Paul F. Tompkins debates comedy ethics with Improv Everywhere's Charlie Todd — great discussion, and it's hard not to see where both are coming from (via)
November 13, 2009
Rogue Amoeba stops iPhone app development after App Store idiocy — I'm with Marco, the only fix is allowing external apps, but it's unlikely (via)
Numb3rs on IRC — "Luckily, I speak l33t."
Prank War 8: The Skydiving Prank — hard to say if life-threatening situations are funnier than public humiliation
301 Works, Internet Archive works to preserve URL shortener data — the shorteners will provide regular backups and hand over data on closure, though TinyURL's conspicuously missing
November 12, 2009
Quizipedia — simple game with trivia scraped from Wikipedia entries
Kill Screen, funding a new art magazine about videogames — sounds like the English analogue of Amusement I was hoping for

Andy Baio lives here. Some rights reserved, for your pleasure.