RSS and Atom feeds ripe for attack

A researcher at Black Hat 2006 demonstrates how RSS and Atom feeds can spread the payload of a zero-day attack.

A researcher at Black Hat USA 2006 had a warning for those who subscribe to a growing selection of RSS and Atom feeds: If a Web site is susceptible to a zero-day attack, then its feeds -- and its feed recipients -- may be as well.

Robert Auger, a security engineer for Atlanta-based SPI Dynamics Inc., explained that if a Web site offering RSS and Atom feeds becomes infected with malicious code, not only can its feeds spread the attack, but also attackers can create their own malicious feeds that seem legitimate.

Therefore, he said, subscribers must assume all feed data is malicious -- even data from trusted feeds to which an end-user may already subscribe -- and take the necessary security precautions.

Black Hat USA 2006

Check out's special coverage of Black Hat USA 2006 as reporters from and Information Security magazine post the latest news and tidbits from Las Vegas.
"You only have to hack a couple of sites' [feeds] and you can hurt a lot of users," Auger said.

Expanding on his presentation description on the Black Hat Web site, Auger said many RSS clients fail to properly vet the data they receive, failing to guard against malicious and malformed content.

Auger said that as a test he created several feeds and injected JavaScript into some, then observed the effects. He found it's possible to conduct a number of malicious activities, including log keystrokes, steal cookies and launch cross-site scripting attacks.

He noted that many RSS feeds are automatically generated from content originating in third-party feeds, search engine results and other areas, which means feed subscribers can be victimised even if they don't actually subscribe to a feed that's been specifically tainted.

Auger said that as more people use feeds to view news summaries, watch movies, read blogs and download music files, the bad guys have a growing playground from which to launch bots and worms.

An increasing number of electronic publishers have begun offering RSS and Atom feeds as the technology's popularity has grown. The PEW Internet & American Life Project has estimated that as much as 9% of the U.S. Internet population uses feeds, while New York-based JupiterResearch has said that number could be as high as 12%.

In conducting its research, SPI Dynamics found Bloglines, RSS Reader, RSS Owl, FeedDemon and SharpReader to be among those vulnerable to attack. Auger noted Bloglines fixed its vulnerability immediately after they were made aware of it.

Auger said he plans to conduct further research into how the feed threat affects P2P applications, podcast clients and DVRs like TiVo. For now, he said, users should be careful when subscribing to RSS and Atom feeds.

"When you get data, you can't assume it's good," Auger said. When choosing to subscribe to a feed, "you have to consider its potential impact and where the data is coming from."

Read more on IT risk management