Subscribe: Comments on: No, ask what Bloglines can do to you
Preview: Comments on: No, ask what Bloglines can do to you

Comments on No, ask what Bloglines can do to you

a digital magpie

Updated: 2016-10-24T13:44:47Z


By: Whirlycott / Philip Jacob » Skewering Bloglines (again)


[…] In addition to Bloglines’ inability to make a sane feed reader, there are also very serious unresolved privacy problems, security problems and specification compliance problems. […]

By: Ben Lowery


Hi Phil,

The various security issues presented in this thread have been addressed and fixes have been pushed out to the production site. Please let me know if you find any problems with the fixes, or if you find more issues.



By: Phil Ringnalda


Or, maybe not.

By: Phil Ringnalda


Bah. Martijn just got loop checked in, though he left onfinish for another bug, so we may still get to look down on IE for another three or four years.

By: Phil Ringnalda


Nope, haven’t heard from them, but then I also haven’t reported anything else to them. I assumed that they would keep track of this thread, but it may be that they didn’t bother. But, a tracking number, real or fake, is certainly progress.

By: Sander


Phil, have you been in further contact with bloglines on any of these remaining vulnerabilities?
I’ve been seeing quite a lot of requests for my example file, and am at this point starting to get worried that someone actually malicious is piecing all this information together. I even sent bloglines another message, but all I got was a stupid automatic response. (Even though this time it was a response that included a ”incident tracking number”; is that progress?)

By: 79 Decibels - :


[…] The poor response to a security hole in Bloglines has left a sour taste in my mouth. I’ve stopped using it in favor of just using something that runs on my web-server. At least this way I can peak through the code and lock it down if need be. Kudos to Bloglines for at least offering an easy way to export feeds, I do appreciate not being locked-in. […]

By: Mark


I tried that and couldn’t get it to work properly (it still visibly redirects the parent page), but I don’t really know anything about target attributes or iframes, having never used them for anything useful or legitimate.

On the topic of ”I can’t find any other ways to inject script,” you should really try harder. Bloglines doesn’t actually generate a page of HTML for your news items; it generates a lot of gnarly JavaScript strings that write out the HTML later. JavaScript has lots of weird quirks; one of them is that a ”” immediately ends the script, even if it occurred within a string.

Combine that with the fact that Bloglines doesn’t strip ”” from URLs, and you can generate a malformed link that breaks out of the script that Bloglines is executing and add arbitrary HTML content (including script, or iframes, or other allegedly sanitized elements) at that point in the page.

test case

By: Phil Ringnalda


My three hours earlier, but still late, thought would be that it’s because of the form’s target="_top", which you could just remove before you submit the form.

Somewhere else (and I can’t believe I can’t remember where) earlier tonight I was talking about RSS worms: it’s just a shame that probably essentially nobody subscribes to other people’s Bloglines-hosted blogs, because that would be such a nice way to propogate.

By: Mark


You can do the same thing with script tags too. Not sure how I got stuck on the style+expression path of inquiry. And regular script tags have the advantage of working cross-browser. This link, for example, takes you to a web page which automatically subscribes you to a feed without your consent. (For reasons that are not clear to me at 3 AM, the entire page ends up visibly redirecting instead of Bloglines staying in the invisible IFRAME where it belongs. Not sure if there’s some .htaccess judo on their part, or if I’m just stupid.)

Let’s back up a second. A web page which automatically subscribes you to a feed without your consent. That seems… bad.