USA Today published an article last week about how feeds such as RSS and Atom, among others, could leave a hole in your security. For someone like me, who goes through well over 200 articles a day 11+ feeds, this is more than a little disconcerning.

Bob Auger, a security engineer with Web security company SPI Dynamics, said that malicious content could be inserted into a feed for any number of purposes. He also said that it’s not RSS or Atom, but any kind of web feed. Meaning that the same can be said about other content delivery systems like mailing lists.

Most aggregators are faulted because the designers didn’t add security checks. So check to see if your aggregator, if you use one, filters out JavaScript. Especially those of you on Windows. Auger went on to say that some reader software for Windows utilizes Internet Explorer to display content but doesn’t use the basic security settings that isolate the content. So JavaScript is downloaded into the PC and has complete access. This can be hazardous to your computer, as anyone can see.

Auger listed Bloglines, RSS Reader, RSS Owl, Feed Demon, and Sharp Reader as vulnerable readers in his presentation at Black Hat on Thursday. He suggested people switch to non-vunerable readers and feed publishers check their feeds to make sure they’re safe. One problem with removing JavaScript, however, is that many publishers rely on JavaScript to publish advertisements in their feeds.

Before you go throwing all those feed addresses you’ve got down the toilet (like this feed) and removing yourself from any mailing address, calm down. We at WayoftheGeek assure you that we check our feed. Simply ask the publishers of your favorite feeds to do the same thing. If they don’t acknowledge your request, find a new source for news. I’d definitely suggest finding a safer reader as well if possible. I found out that Bloglines was notified by SPI Dynamics about this problem beforehand and they corrected the problem the same day.

So do a little research, look up safer aggregators, and relax a little. Remember that these people are looking for you, not trying to get you…well, most of them.

If you liked that, try...

1. Security Update
2. InnerGeek episode 03
3. In the Clear
4. New WordPress Plugin Available
5. Is Your ISP Advertising On Your Back?

No Comments »

No comments yet.

Leave a comment