and RSS Issues
November 10th 2005
Instant RSS is growing at a
lightening speed. What was once only known as a "techie tool", RSS
is becoming a tool that is continuously being used by the general
population. Along with the good comes, the not so good. And while
some have mentioned the emergence of RSS spam, where content
publishers dynamically generate nonsensical feeds stuffed with
keywords, the real concern relates to security. While an annoyance
to the search engines, spam in RSS feeds pales in comparison to the
possible security concerns that could be in RSS' future.
Security Implications Related to RSS.
As RSS gains momentum security fears loom large. As publishers are
quickly finding innovative uses for RSS feeds, hackers are taking
notice. The power and extendibility of RSS in its simplest form is
also its achilles heel. The expansion capabilities of the RSS
specification, specifically the "enclosure" field which has launched
the podcasting phenomenon, is where the vulnerabilities lie.
The enclosure field in itself is not the problem,
in fact the majority of RSS feeds do not even use the enclosure tag.
The enclosure tag is essentially used to link to file types, things
like images, word documents, mp3 files, power point presentations,
and executables and can be thought of in similar terms to email
The fact that RSS can be used to distribute these file types has
opened a myriad of doors to users of the syndication standard, but
also has created cause for concern.
Most people do not feel that the risk is significant because people
"choose" the content that they receive, and while it might make the
distribution of malware, viruses and spy applications via RSS less
prevalent, their is still the inherent risk of a infected file being
The problem is one of both technology and lack of education.
The danger lies in the fact that many RSS readers, news aggregators,
or pod-catchers automatically download the information contained in
the enclosure field regardless of its file type or source.
Most RSS developers acknowledge the risks associated with the
enclosure field, but few have had the forethought to include
filtering, screening or authentication capabilities and many
automatically download enclosures.
Nick Bradbury of Bradsoft/NewsGator seems to be proactive, designing
FeedDemon with security in mind. FeedDemon uses an editable safelist
of file types as well as allowing users to monitor what files are
automatically downloaded. FeedDemon also contains hard-coded
warnings related to specific file types.
Developers of ByteScout took a different approach to the handling of
enclosure files, ByteScout does not automatically download anything
without user intervention for each download.
Unfortunately, not all RSS readers, aggregators
and podcatchers consider the possible security implications
associated with RSS feeds and podcasts, some will automatically
download enclosures without warning or any thoughts of security. Be
sure to examine how your RSS reader handles files contained in the
enclosure field of an RSS feed.
With the increased use of RSS and podcasting, the security risks
increase with it. Their is cause for concern, however proactive
users and conscientious developers can easily subvert the risk by
taking precautions seriously. Computer viruses and malware are cause
for legitimate concern, there is ample time and action that can
avert potential problems.
Sharon manages marketing for FeedForAll software for creating, editing,
publishing RSS feeds and podcasts. In addition Sharon manages marketing
for FeedForDev an RSS component
Keywords and misspellings: Pod-cast pod cast
casts convert copyrite copyrigt