Read RSS, get hacked:
That’s because the growing use of Web feed readers and the proliferation of content-aggregation sites are giving hackers a really simple way to deliver keystroke loggers, Trojan horses and other malware onto their computers, security analysts warn.
The feed-hacking threat is not particularly new. However, the severity of the problem could be rising as feed services begin moving into the mainstream, said Ray Dickenson, vice president of product management at Authentium Inc., a Palm Beach, Fla.-based security vendor. “Malware authors are just taking advantage of the interconnectedness of Web 2.0” to distribute their code more efficiently, he said.
That is a rather interesting thing to think about. All of the various re-blogging sites out there and feed-mixers have the potential to impact the output of those feeds, certainly. And usually the big problem with this type of behavior is reputation—people re-distribute content and represent it as their own, or even make it difficult to find out exactly where something originated.
Unprotected reputation makes it easier for someone to maliciously abuse that reputation, if you read something written by So-and-So, and So-and-So’s name is trustworthy, you may well be more inclined to download an enclosure, play a media file, read a document, or anything else that is made available to you.
And while people are getting smarter about this behavior, the content itself isn’t protected, and thus lends itself to being easily copied, pasted, reblogged, or fed into hybrid amalgam feeds through the various mechanisms out there to do so. Yahoo! Pipes, for example, is a fabulous tool for massaging the output of feeds and allowing you to customize the way they are viewed and consumed, and there are plenty of web-based applications out there that do exactly this.
And since the user has to subscribe to a specific feed in nearly every circumstance, there is some level of trust already established, they did, in fact, subscribe to this feed, and they couldn’t have been making a mistake or been so naive. But never-the-less, it happens.
Enclosures in feeds aren’t a bad idea in and of themselves, it allows for things like Podcasting, and premium content to be distributed via RSS and Atom—and that is a wonderful thing. But the browsers and readers and clients that accept this data are typically told to pull the enclosures and add them to your iTunes library, or to open up Windows Media Player upon receipt, and that abuse of reputation and trust is bringing out a whole new landscape of potential attack vectors.
Not to mention the most obvious one, having malicious javascript present in a feed and having the reader dutifully follow its instructions. Most readers that I’ve looked at over the years strive for compatibility over correctness, so the very design of these readers is to be very forgiving on the contents of a feed, instead of validating the contents and sanitizing it.
I think it will be interesting to see what exactly happens with this mode of attack, and what the implications are of trusting unsigned and invalid data in content syndication formats. It will certainly be interesting to see if anyone actually follows this with some real diligence in helping people avoid this type of an attack.
Suddenly I’m curious if I can plant malicious javascript into my del.icio.us RSS feed.