Your blog reader has been hacked
One of the most interesting talks I saw at Black Hat two weeks ago was about how easy it is to use RSS feeds to infect unprotected computers with hostile code. Last week, I wrote about the latest research from Bob Auger on how reading blogs could leave you vulnerable to surveillance, identity theft, and being turned into a giant spam-engine.
What worries me is how free expression might be affected if blog readers are so easily turned into fraud machines:
If I were a bad guy and wanted to steal a bunch of passwords, I would hide some malicious code inside a comment on a popular blog. As soon as your reader downloaded that comment, you’d be infected. Or I would start a blog that sounded particularly interesting (or pornographic), tempt a bunch of people into subscribing to my feed, and inject naughty code into their computers that way. When you consider how many people automatically repost other people’s feeds onto their own blogs in a “what I’m reading” section or something like that, it’s clear how bad things could get.
But even worse, in the process of using the Web’s fastest free-speech engine to wreak havoc, the people injecting nasty code into blog feeds could undermine free speech itself.
Check out my story for more.
August 15th, 2006 at 4:03 pm
Please stop fear-mongering.
Cross-site scripting bugs are not new, but the right answer is to fix the bugs in the RSS readers that the Black Hat session demonstrated, as well as to use caution: doing your online banking at the same time as reading obscure porn blogs might not be a good idea.
What amazes me are the Luddites who are terrified that the net is going to snatch all their money away, but who don’t hesitate to turn their actual, physical credit card over to a server or busser that they’ve never met.
Instead of your generalized fear-mongering, you could do more investigation and try to steer your readers away from particularly buggy and ill-maintained RSS readers, as well as to recommend practices for bloggers to avoid problems in this area.
August 16th, 2006 at 10:59 am
Ah yes. The old chestnut that somehow any discussion of security vulnerabilities is “fear-mongering.”
Fact is, these CSS and CSRF bugs are common as dirt on the Web, and now somebody has found them in RSS readers. If you’d bothered to read my article, you’d see that I do name specific products affected and urge people to write more secure software.
If it weren’t for what you dismiss as “fear-mongering,” nobody would know about these kinds of bugs at all, leaving consumers vulnerable and developers clueless.