New speculation today in ComputerWorld Security on potential vulnerabilities in web-based RSS readers:

“The only reason we haven’t had a lot of problems yet is because no one has really thought of it,” he said. According to Sima, software and services used to download feeds transmitted via the RSS or Atom formats can unwittingly download and execute JavaScript code buried within the text. . . .

This way, seemingly garbled text can hide malicious JavaScript commands that can do damage without having to install or run an outside file, a telltale sign that would normally alert an antivirus or antispyware program.

I need to spend more time on the whitepaper, but at first blush this seems like old news. I’ll be curious to see how Bloglines, NewsGator and the other big web readers respond to this one.

Image courtesy of muchomas.

Update 8/7/2006:

Nick Bradbury of FeedDemon says: FeedDemon not vulnerable.

Update 8/8/2006:

I managed to hose at least one online reader. I’m making my test scripts available to the community as a way to document the problems and then start fixing them. Info here.

Update 8/9/2006:

Microsoft talks about how they are addressing these issues in IE7 and Windows RSS Platform.

This entry was posted on Monday, August 7th, 2006 at 13:00 and is filed under syndication. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.