RSS vulnerable?
Well, yeah. Of course. The perfect storm for a new wave of attacks:
1. New protocol catching on fast that involves completely trusting clients.
2. Insecure servers maintained by inexpereinced sys-admins.
3. A vulnerable RSS reader tied directly to the OS. (Can you say IE7.0?)
A report [link to http://news.com.com/Blog+feeds+may+carry+security+risk/2100-1002_3-6102171.html no longer works] out of SpiDynamics [http://www.spidynamics.com/] at BlackHat this week:
Attackers could insert malicious JavaScript in content that is transferred to subscribers of data feeds that use the popular RSS (Really Simple Syndication) or Atom formats, Bob Auger, a security engineer with Web security company SPI Dynamics, said Thursday in a presentation at the Black Hat security event here.
Not a new idea as it has been predicted as early as 2005 by security bloggers [link to http://blogs.zdnet.com/threatchaos/?p=31 no longer works]. 🙂
I thought you weren’t supposed to discuss IE anymore…
that’s Richard posting, not me.
Matter of fact, we can say IE7.0, and there’s a blog post http://blogs.msdn.com/rssteam/archive/2006/08/07/691248.aspx from the RSS team detailing what they’d already done to defend against attacks via RSS feeds.