Syndicated content, from blogs, news sites and the like is a popular way
to track these websites, but also provides a vector for malware.
are the two formats used to provide
syndicated content and there are a variety of web-based and standalone
clients that can read RSS/Atom feeds and display them to users. These
clients often do not have proper filtering of the content provided and can
be susceptible to various attacks.
Both RSS and Atom are XML-based formats that contain various elements of the
content that is being syndicated -- title, description, story link, etc.
program, often known as an 'aggregator' allows the user to subscribe to
various feeds and will check periodically for new content. The aggregator
then displays that information and the user can choose content items to look
at more closely. Because much of the content is from websites, aggregators
typically interpret HTML content in the feed data for display. This
provides the means for attacks.
Malicious content, for
scripting (XSS) or
request forgery (XSRF) can be inserted into one of the textual
portions of the feed data. If the aggregator does not sufficiently filter
the received data, it may expose the user to the malware. Web-based
aggregators are particularly susceptible as they run in a browser with
all of the normal browser capabilities, but standalone clients often include
browser-like rendering or will start a browser to follow feed links.
While it is certainly possible, it is probably unlikely that feed providers
will directly put malware in their feeds; it is too easy to track them down.
A much more likely scenario is feeds that syndicate user generated content,
like comment feeds on blogs or sites like LWN (syndication information
here). Depending on the filtering
that the site does, it may be able to propagate malware within its syndication
content. A malicious user could, anonymously at many sites, post a comment
that contained malware and effectively co-opt that site into spreading it.
A popular site could potentially spread this malware very widely, even if
only a small percentage of its users' aggregators were affected.
In addition, many popular sites are 're-syndicated', their feeds are included
in the feeds of aggregation sites. A security site, for instance, might
display the feeds of several other security sites and include that content
in their own feed. This provides for a virus-like propagation where a
can inject content once and have it start showing up in multiple feeds.
Some sites will also collect up mailing list entries
or descriptions of new content available on peer-to-peer networks and
add them to their syndication feed. This provides even more ways for
someone to anonymously inject malware.
Bob Auger presented his
(PDF) on this subject at Black Hat 2006 conference. He provides several
examples of plausible malware attack scenarios as well as examples of RSS and
Atom data that demonstrate these techniques.
The potential for malicious content in any data that originates from
elsewhere really cannot be overstated. The tools we use on a day to day
basis need to be aware of this potential and act appropriately. It may
seem like security articles tediously repeat the same 'filter input data'
mantra over and over, but, here is yet another place where proper filtering
has been overlooked.
to post comments)