It is just a matter of time. One of these days, some hacker will deface a popular site like Engadget. But instead of putting something visible on the site, they will put something invisible in the feed.
By the magic of syndication, that data will then be distributed like spores to untold thousands of locations. In the process it will be transported from a relatively untrusted location (like BoingBoing) to a place of equal or greater trust. Places like popular portal sites, or just perhaps, to your very own hard drive.
From there, it will lie in wait until you check for news. Invisibly it will spring into action. You won’t even notice it running. It will be able to do things that vary from uploading your preferences and passwords to a remote location, to downloading malware onto your machine. Shortly thereafter, this entry will be marked as read, or scroll off the bottom of your river of news, and you will never know how you just got p0wned.
Last week, SPI Dynamics presented a whitepaper on this topic. Underreported at the time was the cooperation and dedication that a number of authors of popular feed reader software have demonstrated to date. Also underreported is the difficulty of reliably detecting the presence of JavaScript in feeds.
As a first step, James Holderness devised 85 tests for Snarfer. None of these tests attempt to do anything malicious, instead they simply attempt to produce a popup identifying the source of the exposure. I’ve tried these tests against the latest Universal Feed Parser, and in each case the javascript was either outright removed or otherwise rendered harmless.
Sometime in November (i.e., in about 90 days), and with James’s consent, I will commit these tests as a part of the Feed Parser regression test suite. At which point, they will be open source, and easy to find by friend and foe alike.
Meanwhile, if you are developing software that consumes feeds, please get ahold of either James or myself and we will share these tests with you. Contributions of additional tests are also welcome.
everyone is still vulnerable to NSFW attacks. Just point them at content they arent meant to look at work, have it appear in the proxy log/browser cache and suddenly they are incriminated. Can you really say “my machine downloads adult content automatically” and expect to avoid the short conversation with HR?
go on sam, take the flash from here and stick it in a post. [link]
‘p0wned’... weird, a typo in the middle of a typo. Yeah, that should totally be ‘pwned’. :-)
I should probably run those tests against FeedTools. I discovered that some of the sanitization code wasn’t working as intended the other day, though I haven’t committed the fix for it yet because of some other code that isn’t working right.
Paul Hammond : Sam Ruby: Attack Delivery TestSuite - Sometime in November (i.e., in about 90 days), and with James’s consent, I will commit these tests as a part of the Feed Parser regression test suite...
Sam Ruby: “As a first step, James Holderness devised 85 tests for Snarfer. None of these tests attempt to do anything malicious, instead they simply attempt to produce a popup identifying the source of the exposure.” James’...
Mac OS X Leopard dev goodiesNew features, which include an RSS/Atom parser, generator and feed store Ted Neward » The Vietnam of Computer Science “analysis of Object/Relational Mapping--and its relationship to the Second South Indochina War”...
Mark Woodman has a list of 7 RSS Javascript tests that you should be checking against your RSS Reader. Or maybe not, Mark managed to break his RSS reader with them. James Holderness also has some tests (85), but they are not public yet. James...
Charles Miller: [via Stefan Tilkov] If you are involved with the development of any tool that consumes feeds, I encourage you to read James Snell’s recent post. It is clear now that giving people months to react only advantages the...
[more]
Planet WebservicesCharles Miller: Often, full disclosure is explained as a way to make sure vendors are responsive, using “naming and shaming” to force a faster patch schedule. This is certainly one aspect of the practice, but far more important is...
In my previous post I wrote about FeedDemon’s security features, the most important of which is the fact that FeedDemon’s newspapers operate in Internet Explorer’s “Internet Zone” instead of the less secure local zone. This means that even if...
Mac OS X Leopard dev goodiesNew features, which include an RSS/Atom parser, generator and feed store Ted Neward » The Vietnam of Computer Science “analysis of Object/Relational Mapping--and its relationship to the Second South Indochina War”...
Ok, so it’s been about a month I guess since I started talking about scripting exploits in feeds. I put together a whole bunch of Atom test cases based on an initial set of RSS tests produced by James Holderness. Several Feed Reader developers...
Last month I promised to talk about the exploits that James Snell uncovered which left feed readers vulnerable to some very annoying script-based attacks. I didn’t want to provide details of the exploits until other feed readers had patched them,...
If you are an enterprise considering deployment of RSS technology, this post might point you to some test suites to assess vendor security: Feed Security Ok, so it’s been about a month I guess since I started talking about scripting......
Hi Sam, how do i get a hold of the tests for RSS feeds? I’ve been working on a RSS reader for an enterprises' product and would like to run the reader thru the vulnerabilities?
Jeff Schiller: Thanks! FYI: my personal “publish” interface has a select dropdown that lets me chose from my ever growing pallet of icons and incorporates then into the page in a way that allows resi...
[more]
Exploiting Chrome and Opera’s inbuilt ATOM/RSS reader with Script Execution and more
============================================= SECURETHOUGHTS.COM ADVISORY - CVE-ID : CVE-2009-XXXX (Chrome) {Pending} - Release Date : September 15, 2009 - Severity : Medium to High - Discovered by : Inferno...