Waxy.org
Waxy.org is the sandbox of Andy Baio, a journalist/programmer living in Portland, Oregon. I'm the CTO of Kickstarter, created Upcoming.org, and some other stuff too.

Contact Me: log@waxy.org or waxpancake on AIM

Evil RSS Feeds

Posted Feb 28, 2003

Some RSS readers are vulnerable to security exploits and other annoyances embedded in RSS/XML feeds. This morning, Phil showed me a proof-of-concept sample for Newsgator, the Outlook-based RSS reader, triggered by VBScript code in an RSS feed that e-mails a random person in your Outlook address book.

Other readers may not be vulnerable to Outlook-style hacks, but they can still be screwed up by Javascript. Try subscribing to this RSS feed I created with your reader of choice. Syndirella displays the popup window and crashes on the Javascript alerts. How about other readers?

Just to be clear, I'm not saying this is a serious issue. Users only subscribe to trusted RSS feeds, and feed providers are extremely unlikely to put malicious code in their feeds. It's just interesting that it works.

9 Comments (Add Yours)

Feb 28, 2003
1:53 PM  
ksmith wrote:

I subscribed to the test feed via NetNewsWire, and was able to read all the entries with no apparent effects.


Feb 28, 2003
3:39 PM  
Greg Reinacker wrote:

I have posted comments related to NewsGator and this issue at http://www.newsgator.com/news/archive.aspx?post=3.


Feb 28, 2003
3:47 PM  
Kevin Burton wrote:

I noted this over on RSS-DEV and even made an amendment to the RSS 1.0 spec describing the problem.

The RSS-DEV team made a (bad) decision that it wasn't important enough to include in the spec.


Feb 28, 2003
3:53 PM  
Andy wrote:

What was the change that you proposed?


Feb 28, 2003
6:17 PM  
paul victor novarese wrote:

Radio Userland 8.0.8/XP reads it fine.


Feb 28, 2003
6:18 PM  
paul victor novarese wrote:

No pop-ups, btw.


Mar 3, 2003
11:50 AM  
Mark wrote:

As Kevin said, this problem has been known for some time. The RSS validator will even warn if a feed containing potentially harmful HTML elements. (Please, no followups saying the validator should separately report warnings and errors. It's coming eventually.)

http://feeds.archive.org/validator/check?url=http%3A%2F%2Fwww.waxy.org%2Frandom%2Ftext%2Fevil_rss.rdf

http://feeds.archive.org/validator/docs/warning/ContainsScript


Mar 3, 2003
11:57 AM  
Mark wrote:

Another, more subtle issue is the one of security zones. Browsers like Internet Explorer carve up the world into zones, and allow you to assign different security policies to each. But browser-based aggregators like Radio and Amphetadesk subvert this by pulling in remote content and republishing it in the local zone. So even if you've disabled active scripting for remote web sites, chances are your local 127.0.0.1:8888 or :5335 address is in the local (trusted) zone and has scripting enabled.

I wouldn't necessarily classify this as a bug; the programs are functioning as designed, but the design has (possibly unintended) consequences, that's all.


Mar 12, 2003
5:12 AM  
Dmitry Jemerov wrote:

The latest build of Syndirella, 20030311, filters JavaScript from RSS description elements, so it should not be vulnerable to the simpler exploits.


 

Leave a comment





Waxy Links
Ads via The Deck
March 18, 2010
C-SPAN opens massive video archives — 160,000 hours of video dating to 1987
Joel Johnson, "Raiding Eternity" — more tech writing like this, please
xkcd's Google phrase frequency charts — "I got $x problems"
Newspaper Club designs, prints, distributes overnight newspaper at SXSW — I was lucky enough to grab one of the hand-numbered issues
March 17, 2010
Crowdsourced demographic study of Chatroulette — the info was gathered by Hacker News users
March 16, 2010
Progress Wars — countless hours of fun
March 15, 2010
Piano Improvisation on Chat Roulette — amazing how much creativity the site's inspiring (via)
March 12, 2010
8-Bit Austin — I think I'll use this map to get to Datapop 2010
Spritely, jQuery plugin for sprite and background animation — see also: gameQuery
March 11, 2010
Trololololololo Shreds — some context (via)
Preview of Sword & Sworcery EP for the iPhone — looks unlike anything I've ever seen
Sitby.us — essential iPhone-optimized site for SXSWi session planning
Danc on the release of Ribbon Hero — turning Microsoft Office into a game, with competition against your friends (via)
March 10, 2010
"Play" by David Kaplan and Eric Zimmerman — avatars as Russian nested dolls (via)
Chatroulette Map — I think I'd rather not know, thanks (via)
Steamshovel Harry — not sure how I missed this one last year, metagaming with music by Brad Sucks
El Fin Del Mundo by Alberto González Vázquez — there's so much I love about this, I can't quantify it all (via)
March 9, 2010
Wired Reread, blogging the best ads from '90s-era Wired — also, the complete SPIN archives are on Google Books
Academy Award Winning Movie Trailer — related: McSweeney's categories for the meta-awards (via)
Chris Parnell and Andy Samberg perform Lazy Sunday live — for the first time, backed by The Roots
Adam Savage's pursuit of the perfect Blade Runner gun replica — related: his quest for the perfect replica Maltese Falcon and dodo skeleton
The Panic Status Board — the instant feedback made work more game-like
March 8, 2010
Valve ports game library and Steam service to Mac — Portal 2 will be released for Mac simultaneously with PC, along with "all of our future games"
Maciej Ceglowski on the discovery, loss, and rediscovery of the cure for scurvy — fascinating story of bad science and the unintended effects of new information
March 7, 2010
8-Bit NYC, Brett Camper's videogame map of New York — he's using Kickstarter to expand to 15 other cities worldwide
Sleep Is Death, Jason Rohrer's new conversational two-player game — watch the slideshow for details; I just wish it was on the web instead
Obama appoints Edward Tufte to advise on stimulus transparency — "Maybe I'll learn something."
PS22 Chorus sings Phoenix's Lisztomania — I love how expressive they are
Echo Nest and SCHED's guide to SXSW Music — very nicely done, uses Echo Nest's recommendation engine
GameInformer's Portal 2 exclusive cover story — scans, since it's not on GameInformer's site yet; Valve hired the TAG: The Power of Paint team right out of Digipen

Andy Baio lives here. Some rights reserved, for your pleasure.