RSS For Hackers?

by admin August 5, 2006 at 3:31 am

LAS VEGAS — RSS is a great technology for delivering content; it’s also a potentially destructive tool for hackers to use as an attack-delivery system.

In a Black Hat presentation here, SPI Dynamics Security Engineer Robert Auger laid bare the plain facts on RSS and ATOM feed exploitation.

Auger tested both Web-based and local RSS readers and found both types to be ripe platforms for malicious users to exploit with code injection that could steal users’ credentials, cookies, keystrokes and other information.

There are two principal approaches for hackers to take advantage of RSS. The first is that the feed owner is malicious and injects the code into their own feed directly. In Auger’s view that’s not the most popular use case.

Augur suggested that rather than defacing a Web site, a hacker could inject an attack into the feed. In such a scenario, the attacker then “owns” all of the site’s subscribers as well.

It’s the delivery potential of RSS that makes it so potentially harmful. It’s an attack vector that has the potential to affect thousands of people at a time based on the popularity of the compromised feed.

Web-based readers are particularly vulnerable to a variety of attacks including SQL Injection, command execution and denial of service.

Read more: