Feeds As Attack Delivery Systems
Niall Kennedy: Robert Auger and Caleb Sima of security firm SPI Dymanics gave a 50-minute security briefing on RSS and Atom feed vulnerabilities at yesterday’s Black Hat conference in Las Vegas. Their talk, Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems detailed how many blogging systems and feed aggregators do not block against malicious code insertion by third parties and often run at elevated permission levels on a user’s machine, exposing an entire operating system to a potential scripting attack.
It would be useful if specific examples were included, otherwise this is merely needless defamation. My experience is that the companies listed are ones that respond quickly, once notified of the problem.
Update: A whitepaper on the exploits, including example feeds, is available from SPI Dynamics.