As JavaScript and AJAX are getting more and more popular in the 2.0 world, so are their misuses! News.com reports about miscreants being able to use RSS and Atom feeds as attack delivery systems.
Like a webpage, a feed can play host to malicious JavaScript code embedded in the corresponding feed. The severity of attacks can be left to the imagination, considering that there are some feed readers out there, sitting in the browsers, which can download feed content and open up the entire computer to them. The whole infrastructure supports the attacks today - the blogs, the sites, the feeds and the feed readers, including some popular ones like Bloglines and Feed Demon. This is a classic case of a single technology evoling without supporting developments in its periphery, either from support or security standpoint. AJAX has come up, however it is still not a standard, there is no guarantee it will always work. JavaScript is being used everywhere but there is nothing in place to secure it. For the fear of these attacks if users disable JavaScript then the golden boy, AJAX, will be rendered useless.
Feeds are being touted as the best form of syndication everywhere - blogs, email lists, news sites - and for good reason. Feeds are convenient and increase productivity. However, today they are also the possible source of attack on your computer. Suddenly, the role of feed readers gets more complex, they not only have to just read feeds, but possibly look for malicious code and even strip out the invalid markup. Like Nial Kennedy says, the danger is not only the first time you subscribe to a feed. It is quite possible that the blog gets owned by someone else in the future, who might not be trustworthy. Feed readers should also be able to raise this and provide an option for unsubscribing.
We cannot stop using feeds because these attacks are possible. Just like we have not stopped using the Internet because of certain malicious sites. We will continue to be more alert and worried though, everytime an article pops out of a feed, with an increased level of security alert.
Technorati tags: javascript, ajax, feed readers, security, rss, atom
