Robert Auger, a security engineer for Atlanta-based SPI Dynamics Inc., explained that if a Web site offering RSS and Atom feeds becomes infected with malicious code, not only can its feeds spread the attack, but also attackers can create their own malicious feeds that seem legitimate.
Therefore, he said, subscribers must assume all feed data is malicious -- even data from trusted feeds to which an end-user may already subscribe -- and take the necessary security precautions.
Expanding on his presentation description on the Black Hat Web site, Auger said many RSS clients fail to properly vet the data they receive, failing to guard against malicious and malformed content.
He noted that many RSS feeds are automatically generated from content originating in third-party feeds, search engine results and other areas, which means feed subscribers can be victimised even if they don't actually subscribe to a feed that's been specifically tainted.
Auger said that as more people use feeds to view news summaries, watch movies, read blogs and download music files, the bad guys have a growing playground from which to launch bots and worms.
An increasing number of electronic publishers have begun offering RSS and Atom feeds as the technology's popularity has grown. The PEW Internet & American Life Project has estimated that as much as 9% of the U.S. Internet population uses feeds, while New York-based JupiterResearch has said that number could be as high as 12%.
In conducting its research, SPI Dynamics found Bloglines, RSS Reader, RSS Owl, FeedDemon and SharpReader to be among those vulnerable to attack. Auger noted Bloglines fixed its vulnerability immediately after they were made aware of it.
Auger said he plans to conduct further research into how the feed threat affects P2P applications, podcast clients and DVRs like TiVo. For now, he said, users should be careful when subscribing to RSS and Atom feeds.
"When you get data, you can't assume it's good," Auger said. When choosing to subscribe to a feed, "you have to consider its potential impact and where the data is coming from."