Waxy.org
Waxy.org is the sandbox of Andy Baio, a journalist/programmer living in Portland, Oregon. I work on Kickstarter, created Upcoming.org, made an album, and some other stuff too.

Contact Me: log@waxy.org or waxpancake on AIM

Evil RSS Feeds

Posted Feb 28, 2003

Some RSS readers are vulnerable to security exploits and other annoyances embedded in RSS/XML feeds. This morning, Phil showed me a proof-of-concept sample for Newsgator, the Outlook-based RSS reader, triggered by VBScript code in an RSS feed that e-mails a random person in your Outlook address book.

Other readers may not be vulnerable to Outlook-style hacks, but they can still be screwed up by Javascript. Try subscribing to this RSS feed I created with your reader of choice. Syndirella displays the popup window and crashes on the Javascript alerts. How about other readers?

Just to be clear, I'm not saying this is a serious issue. Users only subscribe to trusted RSS feeds, and feed providers are extremely unlikely to put malicious code in their feeds. It's just interesting that it works.

9 Comments (Add Yours)

Feb 28, 2003
1:53 PM  
ksmith wrote:

I subscribed to the test feed via NetNewsWire, and was able to read all the entries with no apparent effects.


Feb 28, 2003
3:39 PM  
Greg Reinacker wrote:

I have posted comments related to NewsGator and this issue at http://www.newsgator.com/news/archive.aspx?post=3.


Feb 28, 2003
3:47 PM  
Kevin Burton wrote:

I noted this over on RSS-DEV and even made an amendment to the RSS 1.0 spec describing the problem.

The RSS-DEV team made a (bad) decision that it wasn't important enough to include in the spec.


Feb 28, 2003
3:53 PM  
Andy wrote:

What was the change that you proposed?


Feb 28, 2003
6:17 PM  
paul victor novarese wrote:

Radio Userland 8.0.8/XP reads it fine.


Feb 28, 2003
6:18 PM  
paul victor novarese wrote:

No pop-ups, btw.


Mar 3, 2003
11:50 AM  
Mark wrote:

As Kevin said, this problem has been known for some time. The RSS validator will even warn if a feed containing potentially harmful HTML elements. (Please, no followups saying the validator should separately report warnings and errors. It's coming eventually.)

http://feeds.archive.org/validator/check?url=http%3A%2F%2Fwww.waxy.org%2Frandom%2Ftext%2Fevil_rss.rdf

http://feeds.archive.org/validator/docs/warning/ContainsScript


Mar 3, 2003
11:57 AM  
Mark wrote:

Another, more subtle issue is the one of security zones. Browsers like Internet Explorer carve up the world into zones, and allow you to assign different security policies to each. But browser-based aggregators like Radio and Amphetadesk subvert this by pulling in remote content and republishing it in the local zone. So even if you've disabled active scripting for remote web sites, chances are your local 127.0.0.1:8888 or :5335 address is in the local (trusted) zone and has scripting enabled.

I wouldn't necessarily classify this as a bug; the programs are functioning as designed, but the design has (possibly unintended) consequences, that's all.


Mar 12, 2003
5:12 AM  
Dmitry Jemerov wrote:

The latest build of Syndirella, 20030311, filters JavaScript from RSS description elements, so it should not be vulnerable to the simpler exploits.


 

Leave a comment





Waxy Links
Ads via The Deck
September 1, 2010
Bear's Double Rainbow ad for Microsoft — also: meet Bear (via)
First details on Telltale's episodic Back to the Future game emerge — they also secured rights to make games based on Jurassic Park
Cee Lo Green's official video for F**K YOU — even better than the typography video, I'm perfectly content to have this song stuck in my head 24/7
Slate interviews Innocence Project cofounder about false convictions — over 250 people have been freed by new DNA evidence, many of them with false confessions
Unreal Engine 3 tech demo Epic Citadel for the iPhone/iPad — impressive tech demo, now available for free
GameSetWatch covers Assembly 2010's PC demo contest — if you have the hardware, I highly recommend trying out the two winners yourself
Apple announces Ping, a social network built into iTunes — their first foray into social, finally; seems inevitable that app/location/TV/music sharing will follow
August 31, 2010
All four issues of Daniel Raeburn's The Imp available for free download — highly recommended, covers Daniel Clowes, Jack Chick, Chris Ware, and dirty Mexican comics (via)
Eclectic Method's 8-bit Mixtape — not particularly great music, but the visuals make it (via)
Vanity Fair's glimpse into the day in the life of the President — long, must-read look at the insane complexity of today's political landscape
Lanyrd, social conference directory — brilliantly executed social event discovery; it should be pronounced "La Nerd"
Copyrighting Fashion — a new bill would subject fashion to copyright, but at what cost?
Tom Scott's Evil hack shows phone numbers exposed by Facebook users — culled from public "lost my phone" groups
Unhear It — replace one earworm with another
August 30, 2010
Stay Free's Illegal Art mix tape — the files all moved here
Mads Peitersen's paintings of gadget anatomy — love the iPhone guts (via)
Hark! A Vagrant's Nancy Drew covers — previously: the Gorey covers
Markov chaining Kickstarter blurbs — this also doubles as a Kickstarter project idea generator
Pomplamoose teams up with Ben Folds & Nick Hornby — Hornby wrote all the lyrics for Folds' new album (via)
The Wilderness Downtown — an HTML5 music video for Arcade Fire with some fun geo integration
August 29, 2010
Swarmation — like musical chairs for pixels (via)
August 28, 2010
Disney remixes old cartoons into "Blam!" — truly awful
August 27, 2010
PieLabPDX food cart makes customers play games to buy pie — they had to win a game of Rock Scissors Paper to get their choice
Dirpy — convert YouTube videos to MP3s with surprisingly deep transcoding options
Indie Game: The Movie interviews Adam Saltsman on Canabalt — every one of these shorts gets me more excited for the full-length film
August 26, 2010
Jerry Stiller Unscripted — an adorable encounter with the owners of the Costanza house
Members of Paramore, New Found Glory, and Relient K cover "Bed Intruder Song" — the original broke the Billboard Top 100 (via)
Happylife — prototype device ambiently shows a family's collective mood (via)
"Learning to Be Me" by Greg Egan — a better-written short story with a similar theme as "Where Am I?"
"Where Am I?" by Daniel Dennett — short sci-fi story from 1978 about where consciousness resides (via)

Andy Baio lives here. Some rights reserved, for your pleasure.