Waxy.org
Waxy.org is the sandbox of Andy Baio, an independent journalist and programmer living in Portland, Oregon. I created Upcoming.org and some other stuff too.

Contact Me: log@waxy.org or waxpancake on AIM

Evil RSS Feeds

Posted Feb 28, 2003

Some RSS readers are vulnerable to security exploits and other annoyances embedded in RSS/XML feeds. This morning, Phil showed me a proof-of-concept sample for Newsgator, the Outlook-based RSS reader, triggered by VBScript code in an RSS feed that e-mails a random person in your Outlook address book.

Other readers may not be vulnerable to Outlook-style hacks, but they can still be screwed up by Javascript. Try subscribing to this RSS feed I created with your reader of choice. Syndirella displays the popup window and crashes on the Javascript alerts. How about other readers?

Just to be clear, I'm not saying this is a serious issue. Users only subscribe to trusted RSS feeds, and feed providers are extremely unlikely to put malicious code in their feeds. It's just interesting that it works.

9 Comments (Add Yours)

Feb 28, 2003
1:53 PM  
ksmith wrote:

I subscribed to the test feed via NetNewsWire, and was able to read all the entries with no apparent effects.


Feb 28, 2003
3:39 PM  
Greg Reinacker wrote:

I have posted comments related to NewsGator and this issue at http://www.newsgator.com/news/archive.aspx?post=3.


Feb 28, 2003
3:47 PM  
Kevin Burton wrote:

I noted this over on RSS-DEV and even made an amendment to the RSS 1.0 spec describing the problem.

The RSS-DEV team made a (bad) decision that it wasn't important enough to include in the spec.


Feb 28, 2003
3:53 PM  
Andy wrote:

What was the change that you proposed?


Feb 28, 2003
6:17 PM  
paul victor novarese wrote:

Radio Userland 8.0.8/XP reads it fine.


Feb 28, 2003
6:18 PM  
paul victor novarese wrote:

No pop-ups, btw.


Mar 3, 2003
11:50 AM  
Mark wrote:

As Kevin said, this problem has been known for some time. The RSS validator will even warn if a feed containing potentially harmful HTML elements. (Please, no followups saying the validator should separately report warnings and errors. It's coming eventually.)

http://feeds.archive.org/validator/check?url=http%3A%2F%2Fwww.waxy.org%2Frandom%2Ftext%2Fevil_rss.rdf

http://feeds.archive.org/validator/docs/warning/ContainsScript


Mar 3, 2003
11:57 AM  
Mark wrote:

Another, more subtle issue is the one of security zones. Browsers like Internet Explorer carve up the world into zones, and allow you to assign different security policies to each. But browser-based aggregators like Radio and Amphetadesk subvert this by pulling in remote content and republishing it in the local zone. So even if you've disabled active scripting for remote web sites, chances are your local 127.0.0.1:8888 or :5335 address is in the local (trusted) zone and has scripting enabled.

I wouldn't necessarily classify this as a bug; the programs are functioning as designed, but the design has (possibly unintended) consequences, that's all.


Mar 12, 2003
5:12 AM  
Dmitry Jemerov wrote:

The latest build of Syndirella, 20030311, filters JavaScript from RSS description elements, so it should not be vulnerable to the simpler exploits.


 

Leave a comment





Waxy Links
Ads via The Deck
July 18, 2008
The Quirkbook — Rands polls Twitter for everyone's odd quirks and mildly OCD mannerisms
Jane McGonigal on Werewolf at Foo Camp 2008 — ideal strategies, a sneaky all-villager variation, and the impact of the werewolf metaphor
Google interviews the creators of WarGames — great trivia about the making of the film and its impact on tech culture
July 17, 2008
Logan Aube's Hockey Night theme — Something Awful goons tweak an online contest with funny results (via)
July 16, 2008
Sean Tevis is running for Kansas State Representative, XKCD-style — help a computer geek defeat the incumbent, a hard-right, anti-privacy Creationist; he's trying to get 3,000 to donate $9 each
How to Fake Being a Wine Snob — there might be supertasters out there, but most people are just faking it
The Economist responds to Freakonomics co-author's pasty/pastry mixup — tasty response to this original post (via)
Mike Arrington interviews Evan Williams at Foo Camp — great interview; thoughtful questions and brimming with information, without the sensationalism
Rick Trooper — The Empire rolls you.
Mocha VNC Lite, free VNC client for the iPhone — link opens in iTunes; like others, I'm hoping an SSH client is next
Annalee Newitz on Dr. Horrible's Sing Along Blog — exceeds the hype; the site's been down all day, so I just bought the season in iTunes for $3.99
July 15, 2008
The Sound of Young America Live interviews Ze Frank — strange interview, but talks about the end of The Show and current projects; see also: Jay Smooth from Ill Doctrine (via)
Defender of the favicon — staggering hack puts a playable Defender clone in your browser's 16x16 favicon; Firefox and Opera only
Twitter officially acquires Summize — search.twitter.com is now live
July 14, 2008
Deep Note, the Guitar Hero bot — it got 820k points and 98% playing Through the Fire and Flames; amazingly, some humans can still beat it, for now (via)
Unofficial RSS feed of newly-added App Store applications — until Apple adds their own, I've been keeping tabs using this
Daily Mail tries to unmask Banksy's secret identity — unconfirmed, but definitely seems likely
Trailer for August, indie drama about the dot-com bubble — the fictional dot-com is called Land Shark, but they never explain what they do (via)
Lee Byron maps walkability in San Francisco — built using Walkscore, Google Maps, and Processing
Radiohead releases dataset for House of Cards video — 370MB of CSV point data, Processing code, and a 3D viewer of Thom Yorke's face (via)
July 11, 2008
Preview video of Last.fm's iPhone app — no scrobbling from your iPod, but an outstanding streaming player (via)
Wall-E Down to Earth — fan film takes a Wall-E toy on a tour of real life
Ask the Pilot covers his recent experiences with the TSA — they wouldn't allow a pilot to carry a butter knife used for in-flight meals
Techcrunch runs the numbers on App Store's first day pre-sales — sadly, Apple removed the download counts this evening
Patton Oswalt's commencement speech at his old high school — "There Is No Them." (via)
July 10, 2008
I Eat Beats — drum sequencer built with webcam, Processing, and a bag of Skittles
Journalist examines America's rail system on an 85-hour trip from NYC to Oakland — nobody cares about the railroads anymore (via)
Bush jokes about America's pollution record to G8 world leaders — "Goodbye from the world's biggest polluter!"
iPhone 3G or Millionaire — the choice is easy
Flickr user hit by lightning while recording a rainstorm — "because you insisted, here's the unedited screaming version."

Andy Baio lives here. Some rights reserved, for your pleasure.