LAS VEGAS — RSS In a Black Hat presentation here, SPI Dynamics Security Engineer Robert Auger laid bare the plain facts on RSS and ATOM feed exploitation. Auger tested both Web-based and local RSS readers and found both types to be ripe platforms for malicious users to exploit with code injection that could steal users’ credentials, cookies, keystrokes and other information. There are two principal approaches for hackers to take advantage of RSS. The first is that the feed owner is malicious and injects the code into their own feed directly. In Auger’s view that’s not the most popular use case. Augur suggested that rather than defacing a Web site, a hacker could inject an attack into the feed. In such a scenario, the attacker then “owns” all of the site’s subscribers as well. It’s the delivery potential of RSS that makes it so potentially harmful. It’s an attack vector that has the potential to affect thousands of people at a time based on the popularity of the compromised feed. Web-based readers are particularly vulnerable to a variety of attacks including SQL Injection, command execution and denial of service. Many local RSS readers, provide easy access to the file system and could potentially port scan the local network and be used for relay attacks. Auger specifically noted that among Web-based RSS readers that Bloglines was susceptible to injection. On the local side, Auger called out RSS Reader, RSS Owl, Feed Demon and Sharp Reader. The list of vulnerable readers was incomplete since Auger admitted that he didn’t want to mention vendors that he was still working with or had not yet contacted. “It happens to everybody,” Auger said. “People aren’t taking into consideration where the data is coming from before they actually use it,” There are solutions for properly securing feed readers from being violated by malicious scripts. In many cases the solutions involve degrading a usability feature. For example, Auger suggested that feed readers disable scripts, applet and plug-in from being executed. “Whenever you get data from you can’t assume that data is good,” Auger advised the audience. “No matter where it comes from you need to take into consideration the risks that come with it.”