RSS Security
RSS is growing at a lightening speed. What was once only known
as a "techie tool", RSS is becoming a tool that is continuously
being used by the general population. Along with the good comes,
the not so good. And while some have mentioned the emergence of
RSS spam, where content publishers dynamically generate
nonsensical feeds stuffed with keywords, the real concern
relates to security. While an annoyance to the search engines,
spam in RSS feeds pales in comparison to the possible security
concerns that could be in RSS' future.
Security Implications Related to RSS.
As RSS gains momentum security fears loom large. As
publishers are quickly finding innovative uses for RSS feeds,
hackers are taking notice. The power and extendibility of RSS in
its simplest form is also its achilles heel. The expansion
capabilities of the RSS specification, specifically the
"enclosure" field which has launched the podcasting phenomenon,
is where the vulnerabilities lie. The enclosure field in itself
is not the problem, in fact the majority of RSS feeds do not
even use the enclosure tag. The enclosure tag is essentially
used to link to file types, things like images, word documents,
mp3 files, power point presentations, and executables and can be
thought of in similar terms to email attachments.
The fact that RSS can be used to distribute these file types
has opened a myriad of doors to users of the syndication
standard, but also has created cause for concern. Most people do
not feel that the risk is significant because people "choose"
the content that they receive, and while it might make the
distribution of malware, viruses and spy applications via RSS
less prevalent, their is still the inherent risk of a infected
file being distributed.
The problem is one of both technology and lack of education.
The danger lies in the fact that many RSS readers, news
aggregators, or pod-catchers automatically download the
information contained in the enclosure field regardless of its
file type or source.
Most RSS developers acknowledge the risks associated with the
enclosure field, but few have had the forethought to include
filtering, screening or authentication capabilities and many
automatically download enclosures.
Nick Bradbury of Bradsoft/NewsGator seems to be proactive,
designing FeedDemon with security in mind. FeedDemon uses an
editable safelist of file types as well as allowing users to
monitor what files are automatically downloaded. FeedDemon also
contains hard-coded warnings related to specific file types.
Developers of ByteScout took a different approach to the
handling of enclosure files, ByteScout does not automatically
download anything without user intervention for each download.
Unfortunately, not all RSS readers, aggregators and podcatchers
consider the possible security implications associated with RSS
feeds and podcasts, some will automatically download enclosures
without warning or any thoughts of security. Be sure to examine
how your RSS reader handles files contained in the enclosure
field of an RSS feed.
With the increased use of RSS and podcasting, the security
risks increase with it. Their is cause for concern, however
proactive users and conscientious developers can easily subvert
the risk by taking precautions seriously. Computer viruses and
malware are cause for legitimate concern, there is ample time
and action that can avert potential problems.