RSS offers opportunities, risks

LAS VEGAS'As more Web sites let visitors use Really Simple Syndication to personalize their pages, syndicated content could be the next big channel for the Internet.

That means it might also be the next big vector for malware, according to some researchers from SPI Dynamic Inc. of Atlanta.

'In our research we have found a number of RSS clients, both local and Web-based, that are far too trusting of the content that is delivered via feeds,' said security engineer Robert Auger.

Speaking at this week's Black Hat Briefings cybersecurity conference, Auger presented a summary of some of the threats that could be delivered with your daily news feed. Cross-site scripting or other types of malicious code could be included along with the latest sports scores and developments in the Middle East.

Auger started looking into RSS vulnerabilities about a year ago.

'I had to create a feed for my own site to syndicate my content,' he said. 'Then I started looking at how that content was being used. Some of the things I found were interesting.'

Even though data delivered by RSS feeds originates remotely, many clients display the data as if it were trusted local material.

RSS is a family of formats using Extensible Markup Language to deliver new content, often from Web sites, to subscribers. Rather than a user periodically checking his favorite sites to see what's new, an RSS-aware program or reader gathers this content from selected sites and delivers summaries of it and links, often to a personalized Web page or by e-mail.

There are several more or less incompatible branches to the family. Sometimes RSS means Really Simple Syndication, and sometimes Rich Site Summary or RDF Site Summary. The distinction between the various flavors and versions is of interest primarily to developers of sites enabled to provide the feeds, which might have to accommodate several of them. The readers, which can be Web-based or client software, often support multiple versions of the format.

One of the dangers of RSS as an attack vector is that threats need not come from a malicious site. Many sites allow posting of comments by readers, which often are forwarded as RSS feeds. A reader could include malicious code in a post expecting it to get forwarded. Some programs aggregate content from multiple RSS feeds for delivery to subscribers, opening up another doorway for bad code from a third'or fourth'party.

Auger set out to discover whether it would be practical to execute such an attack.

'There isn't a lot of information on the issue out there,' he said. 'When I started my research early in the year, there was an issue with the Yahoo! online reader,' which could allow malicious or malformed code to be inserted. 'And recently there was one about a Google feed. Somebody had started smoke-testing these types of sites.'

The issue is not completely new, however. At least one RSS vulnerability has been submitted for inclusion in the Common Vulnerabilities and Exposures lexicon, developed by Mitre Corp. of Bedford, Mass. This vulnerability [CVE-2006-2420 at the site http://cve.mitre.org ] currently is under review.

RSS exploits apparently have not yet been identified in the wild, but that does not mean they are not there.

'It's possible that people have been utilizing it for a while,' Auger said, although it is not likely.

The consensus among security experts is that a critical mass of users has to exist before a channel attracts enough attention from hackers and researchers for vulnerabilities to be found and exploits developed and deployed. There is no formal definition of what that critical mass is, but with the growth in personalized Web sites and weblogs that use the technology, RSS could be approaching it.

'It's reaching a much wider audience,' Auger said.

That could be an understatement. Terms such as 'coming of age' and 'mainstream' are being used by analysts to describe the growth in RSS.

A survey of more than 4,000 Internet users published in October by Yahoo! showed that although public awareness of the technology still is low, its use is surprisingly high. Only 12 percent of respondents were aware of RSS and only 4 percent knowingly use it. But a surprising 27 percent unknowingly consume RSS content, primarily through personalized Web pages such as My MSN and My Yahoo!

The growth in syndicated content could become even greater as various flavors of RSS are incorporated in more software. Microsoft is baking syndication technology into its Vista operating system and Microsoft Outlook 2007 will have RSS integrated into its interface.

The content of choice for RSS users now is world and national news, and most major news sites already offer RSS feeds of some kind. Weather, sports, local news and blogs also are popular content.

In a recent study by Jupiter Research, 63 percent of popular Web sites surveyed reported plans to introduce RSS in 2006, which would make RSS feeds available from a majority of well-frequented sites.

With RSS becoming ubiquitous, some thought may have to be given to limiting vulnerabilities.

'Input validation is the key,' Auger said. This means readers need to sanitize content before it is displayed. Users could disable JavaScript on some client software and browsers, but 'there are some things you can do with HTML, so just disabling scripting is not enough.'

As with so many other security issues, we may have to give something up to remain safe.

'You get into the area of usability vs. security,' Auger said.