RSS feed readers vulnerable, if you read sketchy sources

A report presented at Blackhat suggests RSS is vulnerable to security risks – malcreants can inject Javascript into feeds that reek havoc on certain browsers.

Now, you have to be lured into subscribing to a feed that does this on purpose or pull comments as feeds from sites that don’t strip code from them. That means your source was fishy to begin with, or your favorite blog isn’t taking good care of you. The report noted that popular readers such as Bloglines, RSS Reader, RSS Owl, Feed Demon, and Sharp Reader were vulnerable.

This is a sticky fix – you can’t enable the stripping of special characters without getting rid of HTML links, and some tools are rumored to run Javascript even when the script tag is removed (I’m curious to hear what those are). I think the web-based readers can knock this issue off the list in a heartbeat – it is all the standalone readers who have to rethink the situation. Still, I wonder whether feeds validate with Javascript inside, and whether a simple plugin would at least warn people when a feed is potentially unruly.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.