RSS Feeds at Risk From Attackers?
The comments were made during a presentation at the Black Hat convention in Las Vegas, a yearly meeting of both hackers and security researchers. SPI Dynamics Security Engineer Robert Auger said that the issue could potentially affect any such information feed.
Auger's company said any type of RSS reader was susceptible to attacks, whether it be software or web-based. Information at risk could include potentially sensitive information, including passwords and personal data.
While attackers could launch their own blogs and feeds to distribute the harmful code, Auger believes that the previously mentioned scenario is likely to be the most commonly used method.
But who is to blame for the security risk? It appears to be the creators of the RSS applications themselves, who have failed to include proper security checks within the programs.
Of the Web-based readers, Bloglines was mentioned as vulnerable to attack. Of the software readers, Auger mentioned RSS Reader, RSS Owl, Feed Demon, and Sharp Reader. It should be mentioned this list of vulnerable readers is by no means complete; Auger was still contacting vendors about the problem at the time of his presentation.
To protect computers, Auger has advised that users go into their options and disable scripts, applets, and plug-ins from being launched within feeds. "Wherever you get data from you can't assume that data is good," he told the audience.