Waxy.org
Waxy.org is the sandbox of Andy Baio, a writer and tech entrepreneur in Portland, OR. I work with Expert Labs, helped build Kickstarter, founded Upcoming, made an album, and other stuff too.

Contact Me: Email, AOL IM, or follow me on Twitter.

Evil RSS Feeds

Posted Feb 28, 2003

Some RSS readers are vulnerable to security exploits and other annoyances embedded in RSS/XML feeds. This morning, Phil showed me a proof-of-concept sample for Newsgator, the Outlook-based RSS reader, triggered by VBScript code in an RSS feed that e-mails a random person in your Outlook address book.

Other readers may not be vulnerable to Outlook-style hacks, but they can still be screwed up by Javascript. Try subscribing to this RSS feed I created with your reader of choice. Syndirella displays the popup window and crashes on the Javascript alerts. How about other readers?

Just to be clear, I'm not saying this is a serious issue. Users only subscribe to trusted RSS feeds, and feed providers are extremely unlikely to put malicious code in their feeds. It's just interesting that it works.

9 Comments (Add Yours)

Feb 28, 2003
1:53 PM  
ksmith wrote:

I subscribed to the test feed via NetNewsWire, and was able to read all the entries with no apparent effects.


Feb 28, 2003
3:39 PM  
Greg Reinacker wrote:

I have posted comments related to NewsGator and this issue at http://www.newsgator.com/news/archive.aspx?post=3.


Feb 28, 2003
3:47 PM  
Kevin Burton wrote:

I noted this over on RSS-DEV and even made an amendment to the RSS 1.0 spec describing the problem.

The RSS-DEV team made a (bad) decision that it wasn't important enough to include in the spec.


Feb 28, 2003
3:53 PM  
Andy wrote:

What was the change that you proposed?


Feb 28, 2003
6:17 PM  
paul victor novarese wrote:

Radio Userland 8.0.8/XP reads it fine.


Feb 28, 2003
6:18 PM  
paul victor novarese wrote:

No pop-ups, btw.


Mar 3, 2003
11:50 AM  
Mark wrote:

As Kevin said, this problem has been known for some time. The RSS validator will even warn if a feed containing potentially harmful HTML elements. (Please, no followups saying the validator should separately report warnings and errors. It's coming eventually.)

http://feeds.archive.org/validator/check?url=http%3A%2F%2Fwww.waxy.org%2Frandom%2Ftext%2Fevil_rss.rdf

http://feeds.archive.org/validator/docs/warning/ContainsScript


Mar 3, 2003
11:57 AM  
Mark wrote:

Another, more subtle issue is the one of security zones. Browsers like Internet Explorer carve up the world into zones, and allow you to assign different security policies to each. But browser-based aggregators like Radio and Amphetadesk subvert this by pulling in remote content and republishing it in the local zone. So even if you've disabled active scripting for remote web sites, chances are your local 127.0.0.1:8888 or :5335 address is in the local (trusted) zone and has scripting enabled.

I wouldn't necessarily classify this as a bug; the programs are functioning as designed, but the design has (possibly unintended) consequences, that's all.


Mar 12, 2003
5:12 AM  
Dmitry Jemerov wrote:

The latest build of Syndirella, 20030311, filters JavaScript from RSS description elements, so it should not be vulnerable to the simpler exploits.


 

Leave a comment





Waxy Links
Ads via The Deck
May 15, 2012
Ignore Hitler — Draw Something spawns a meme; I like the meta one (via)
Austin Seraphin on learning echolocation — he's a real-life Daredevil
Mat Honan's feature on Yahoo's mismanagement of Flickr — a depressing read, especially while seeing the team release great new features
May 14, 2012
Make interviews Bunnie Huang on the end of Chumby — sad end to a promising product, I received one of the prototypes at Foo Camp in 2006
Rebecca Sugar's Singles — file under: scenarios I'd like to play in a videogame
SMBC on hell — sounds about right
GameBoy Color emulator in JS — the source is on Github (via)
60,000 Dominoes — 65 hours over eight days; the blooper reel was hypnotic (via)
OAuth Is Your Future — Dan Hon snaps some screenshots from the near future
May 13, 2012
Fracuum — winner of Ludum Dare 23; every winner is worth playing
May 11, 2012
Welcome to Life — "the Singularity, ruined by lawyers" (via)
BusinessWeek on the post-Kickstarter life of Diaspora — the founders talk about the Ilya's tragic suicide for the first time
Anachronism detection in Mad Men episodes — language studies from the person who did the frequency analysis for Downtown Abbey (via)
Verge feature on Scamworld, the inside look at Internet scams — incredibly deep investigation and short film, brilliantly made (via)
Hartverdrahtet — amazing 4k intro from the PC demoscene (via)
Mike Birbiglia's short film from This American Life — starring Fresh Air's Terry Gross
Chris Poole's talk on the shifting meme landscape at ROFLCon — the shift away from interest-based web communities towards social networks
Robot butt that represents emotions — I'm hoping someone turns this into a drone
May 10, 2012
Gina Trapani on the failings of "brogrammer" culture — holy hell, the comments are awful
Dustin Curtis on pixel fitting rasterized vector images — best explanation of a long-standing issue I've seen
Mitt Romney bullied gay students in high school — people change, just so long as he takes ownership of his actions; oh, wait
Walt Disney's Taxi Driver — the scene starting at 3:45 is like a parallel universe remake of Roger Rabbit (via)
Ben Jackson on memes, the Internet, and the divine — "The memes we choose to elevate to Internet fame are the product of the purest form of democracy ever invented"
May 9, 2012
Recursive Drawing — watch the video or it won't make any sense
The Forger — for fans of Kutiman's ThruYOU, found footage beat mashups from Meat Beat Manifesto's Jack Dangers
May 8, 2012
Steve Albini AMA on Reddit — "There won't ever be a mass-market record industry again, and that's fine with me"
Maurice Sendak, rest in peace — goodnight, Max
May 7, 2012
Tinkercad — amazing WebGL CAD designer that prints to Makerbot, Shapeways, and Ponoko
Mechanizing a miniature Main Street Electrical Parade — wonderful attention to detail; watch the finished parade (via)
LA Times on American Airlines' attempt to revoke its all-you-can-fly passes — the company regretted its short-sighted decision to offer lifetime first-class travel (via)

Andy Baio lives here. Some rights reserved, for your pleasure.