Evil RSS Feeds

Some RSS readers are vulnerable to security exploits and other annoyances embedded in RSS/XML feeds. This morning, Phil showed me a proof-of-concept sample for Newsgator, the Outlook-based RSS reader, triggered by VBScript code in an RSS feed that e-mails a random person in your Outlook address book.

Other readers may not be vulnerable to Outlook-style hacks, but they can still be screwed up by Javascript. Try subscribing to this RSS feed I created with your reader of choice. Syndirella displays the popup window and crashes on the Javascript alerts. How about other readers?

Just to be clear, I’m not saying this is a serious issue. Users only subscribe to trusted RSS feeds, and feed providers are extremely unlikely to put malicious code in their feeds. It’s just interesting that it works.

Comments

    I noted this over on RSS-DEV and even made an amendment to the RSS 1.0 spec describing the problem.

    The RSS-DEV team made a (bad) decision that it wasn’t important enough to include in the spec.

    Another, more subtle issue is the one of security zones. Browsers like Internet Explorer carve up the world into zones, and allow you to assign different security policies to each. But browser-based aggregators like Radio and Amphetadesk subvert this by pulling in remote content and republishing it in the local zone. So even if you’ve disabled active scripting for remote web sites, chances are your local 127.0.0.1:8888 or :5335 address is in the local (trusted) zone and has scripting enabled.

    I wouldn’t necessarily classify this as a bug; the programs are functioning as designed, but the design has (possibly unintended) consequences, that’s all.

    The latest build of Syndirella, 20030311, filters JavaScript from RSS description elements, so it should not be vulnerable to the simpler exploits.

Comments are closed.