Last week in “Hacking RSS: The Threat is Real“, I reported that I “blew up my online web reader account” with some simple RSS javascript attack scripts (I currently have 52 tests across 5 files.)

I withheld NewsGator’s name to give them a chance to fix the problems, but it seems that is no longer productive. James Snell has just outed FeedDemon and NewsGator’s Atom vulnerabilities with his (very extensive) test suite.

I had privately reported my findings to NewsGator on August 8… I even called Denver to see if I could get a real person on the line. (No luck, so I resorted to email.) They said they’d let the developer team know, and that was that. Now that James has named NewsGator specifically, my circumspection is no longer needed.

A simple script in the title element of an RSS 2.0 channel is enough to really hork up NewsGator’s interface, since it appears to corrupt the DOM-driven layout of NewsGator Online feed browser. Click the image below to see it full-size:

Still no word back from NewsGator on how long it will take for them to solve these problems. For their sake, I hope it is sooner than later.

Update: I got an email from the NewsGator dev team, and they plan to have a fix in later today. I’ll post my updated results then.

Update: As of 12:01am August 21, the problems remain. The dev team has kindly offered to keep me appraised.

This entry was posted on Friday, August 18th, 2006 at 16:16 and is filed under syndication. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.