Shostack + Friends Blog Archive


RSS vulnerable?

Well, yeah. Of course. The perfect storm for a new wave of attacks:
1. New protocol catching on fast that involves completely trusting clients.
2. Insecure servers maintained by inexpereinced sys-admins.
3. A vulnerable RSS reader tied directly to the OS. (Can you say IE7.0?)
A report out of SpiDynamics at BlackHat this week:

Attackers could insert malicious JavaScript in content that is transferred to subscribers of data feeds that use the popular RSS (Really Simple Syndication) or Atom formats, Bob Auger, a security engineer with Web security company SPI Dynamics, said Thursday in a presentation at the Black Hat security event here.

Not a new idea as it has been predicted as early as 2005 by security bloggers. 🙂

3 comments on "RSS vulnerable?"

Comments are closed.