Waxy.org
Waxy.org is the sandbox of Andy Baio, an independent journalist and programmer living in Portland, Oregon. I created Upcoming.org and some other stuff too.

Contact Me: log@waxy.org or waxpancake on AIM

Evil RSS Feeds

Posted Feb 28, 2003

Some RSS readers are vulnerable to security exploits and other annoyances embedded in RSS/XML feeds. This morning, Phil showed me a proof-of-concept sample for Newsgator, the Outlook-based RSS reader, triggered by VBScript code in an RSS feed that e-mails a random person in your Outlook address book.

Other readers may not be vulnerable to Outlook-style hacks, but they can still be screwed up by Javascript. Try subscribing to this RSS feed I created with your reader of choice. Syndirella displays the popup window and crashes on the Javascript alerts. How about other readers?

Just to be clear, I'm not saying this is a serious issue. Users only subscribe to trusted RSS feeds, and feed providers are extremely unlikely to put malicious code in their feeds. It's just interesting that it works.

9 Comments (Add Yours)

Feb 28, 2003
1:53 PM  
ksmith wrote:

I subscribed to the test feed via NetNewsWire, and was able to read all the entries with no apparent effects.


Feb 28, 2003
3:39 PM  
Greg Reinacker wrote:

I have posted comments related to NewsGator and this issue at http://www.newsgator.com/news/archive.aspx?post=3.


Feb 28, 2003
3:47 PM  
Kevin Burton wrote:

I noted this over on RSS-DEV and even made an amendment to the RSS 1.0 spec describing the problem.

The RSS-DEV team made a (bad) decision that it wasn't important enough to include in the spec.


Feb 28, 2003
3:53 PM  
Andy wrote:

What was the change that you proposed?


Feb 28, 2003
6:17 PM  
paul victor novarese wrote:

Radio Userland 8.0.8/XP reads it fine.


Feb 28, 2003
6:18 PM  
paul victor novarese wrote:

No pop-ups, btw.


Mar 3, 2003
11:50 AM  
Mark wrote:

As Kevin said, this problem has been known for some time. The RSS validator will even warn if a feed containing potentially harmful HTML elements. (Please, no followups saying the validator should separately report warnings and errors. It's coming eventually.)

http://feeds.archive.org/validator/check?url=http%3A%2F%2Fwww.waxy.org%2Frandom%2Ftext%2Fevil_rss.rdf

http://feeds.archive.org/validator/docs/warning/ContainsScript


Mar 3, 2003
11:57 AM  
Mark wrote:

Another, more subtle issue is the one of security zones. Browsers like Internet Explorer carve up the world into zones, and allow you to assign different security policies to each. But browser-based aggregators like Radio and Amphetadesk subvert this by pulling in remote content and republishing it in the local zone. So even if you've disabled active scripting for remote web sites, chances are your local 127.0.0.1:8888 or :5335 address is in the local (trusted) zone and has scripting enabled.

I wouldn't necessarily classify this as a bug; the programs are functioning as designed, but the design has (possibly unintended) consequences, that's all.


Mar 12, 2003
5:12 AM  
Dmitry Jemerov wrote:

The latest build of Syndirella, 20030311, filters JavaScript from RSS description elements, so it should not be vulnerable to the simpler exploits.


 

Leave a comment





Waxy Links
Ads via The Deck
July 3, 2009
Sour's "Hibi no Neiro," crowdsourced music video — choreographing 64 fans with webcams (via)
Slate's Chris Wilson tracks 10,000 random YouTube URLs for 30 days — 3% hit 1,000 views, more than I would've expected (via)
Pinboard, Maciej Ceglowski's lightweight del.icio.us clone — on the roadmap: "Get acquired by Yahoo and slowly grow useless"
Donkey Kong easter egg discovered 25 years later — created by DadHacker and discovered by Don Hodges, two of my favorite gaming nerds
Newspaper Club — building a customizable newspaper printing service in 60 days; they're using InDesign as the backend
Kevin Kelly's Death Clock in Futurama — this might seem morbid to some, but I find it inspiring
July 2, 2009
Paul Lamere's Coolness Index — are female singers uncool?
Kickstarter's Big Day — 13 projects ended on July 1, raising an average 188% of their goals
Anil Dash on Malcolm Gladwell's criticism of Chris Anderson's Free — I read through Gladwell's New Yorker piece twice, and the arguments seem petty and off base
72-year-old retired boxer beats up knife-wielding knucklehead — the inane Facebook photos make this story even more delicious
July 1, 2009
Pez sues Burlingame Museum of Pez for copyright infringement — so disappointing
RIAA wins lawsuit against Usenet.com — judge rules Betamax case doesn't apply; every other Usenet provider is next
June 30, 2009
EveryBlock releases source code — it was a requirement of their funding from the Knight Foundation
Hype Machine detects cheating on charts, names names — one of the bands responds in the comments and gets schooled by Anthony (via)
Ze Frank on black, white, and shades of green — I'm loving this series
China bans gold farming, real-world sale of virtual goods — Eurogamer estimates 1 million Chinese gold farmers with worldwide trade worth more than US$10 billion annually (via)
The Pirate Bay sold to publicly-traded Swedish gaming company — Brokep's statement is delusional; being acquired will almost certainly kill the site
Michael Rubin's "Droidmaker" book now available for free download! — authoritative 518-page history of Lucasfilm, the creation of Pixar, and much more (via)
June 29, 2009
Jason Rohrer interviewed about "selling out" to make iPhone and ad games — he recently switched from free, open-source games; also, EA claims Spielberg's LMNO isn't cancelled
Nedroid's Cosby Experiment — view all 190 Cosbys
How the NYT kept their reporter's Taliban kidnapping off Wikipedia for seven months — they collaborated with Jimmy Wales directly to freeze the entry; NPR asks if it was ethical (via)
David Fincher may direct Facebook film, adapted by Aaron Sorkin — possibly starring Michael Cera or Shia LaBeouf as Zuckerberg; this sounds familiar (via)
Quarrygirl's undercover investigation of non-vegan ingredients used at L.A.-area vegan restaurants — outstanding blog reporting, with industrial food testing from 17 different restaurants and research into suppliers
June 28, 2009
James Barnett's oil paintings of landscapes from video games — looking at the paintings, I felt like I'd actually visited those locations in real-life (via)
WSJ interviews Brenda Brathwaite about "Train," a board game about the Holocaust — not all games need to be fun (via)
June 27, 2009
How Rob Manuel accidentally started a Michael Jackson moonwalk flashmob — I'm in London right now, and I've seen several massive vigils and tributes on the streets (via)
Top teams join forces to win Netflix Prize — check the leaderboard for the first score to break the 10% improvement threshold (via)
Wired on the success of Nike+ — backstory on how it works and the Hawthorne effect; simply measuring something can change its behavior (via)
June 26, 2009
Imeem to delete all user-added photos and videos, with five days' notice — with no way to back up videos at all (via)
Shnabubula's chiptune tribute to Michael Jackson — also: Virt's incredible VRC6 cover of Thriller

Andy Baio lives here. Some rights reserved, for your pleasure.