Bob Auger, a security engineer with SPI Dynamics, said that hackers could insert malicious JavaScript in blog updates that are delivered to subscribers’ machines via Really Simple Syndication (RSS) or Atom feeds. Auger presented his findings during the annual Black Hat Briefings, an Internet security conference.
Auger said blog feeds can be compromised in two ways: hackers setting up a corrupted blog and getting users to subscribe to its RSS feed, or more likely, inserting malicious code into a popular blog’s comments section, which often have their own feed.
Attackers also can send malicious code to mailing lists that offer feeds to attack compromised systems, Auger said. Feeds have risen to prominence because they allow users to consolidate information from websites into a single interface. This eliminates the need for clicking on a plethora of different websites.
Many RSS or feed readers do not include security software that can filter out malicious code. Auger said these applications should prevent JavaScript from running.
“A large percentage of the readers I tested had some kind of an issue,” Auger said. Vulnerable feed readers include Bloglines, RSS Reader, RSS Owl, Feed Demon and Sharp Reader, according to Auger.
Filtering out JavaScript at the feed reader level can get complicated because many readers use the code to deliver ads like one would see if they accessed the blog homepage.
