Subscribe: Black Hat presentation exposes RSS and Atom risks in the wild from Niall Kennedy's Weblog
http://www.niallkennedy.com/blog/2006/08/black-hat-prese.atom
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
bloglines  bug  care  construct  don care  don  feed  feeddemon vulnerable  feeddemon  mark  publicly disclosed  publicly  time  vulnerable 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Black Hat presentation exposes RSS and Atom risks in the wild from Niall Kennedy's Weblog

Comments on Black Hat presentation exposes RSS and Atom risks in the wild



Niall Kennedy's home on the web



Updated: 2012-07-02T14:52:24Z

 



By: Jack Brewster

2006-08-07T05:34:41Z

Nick Bradbury of FeedDemon has blogged about this:

FeedDemon is not vulnerable to any of the more serious exploits they reported – so you can imagine my surprise at seeing news reports which listed FeedDemon among the vulnerable RSS readers. Because of this, I’d like to take a few minutes to go over some of FeedDemon’s security features.

Please see his blog post for the full details.

Jack Brewster
Technical Support
NewsGator Technologies




By: Kevin Burton

2006-08-05T00:05:38Z

I spent an insane amount of time preventing this at Rojo.

Mark is right…. people don’t care (at least until a security researcher calls them on it). Even then they don’t really care because they forget about it 48 hours later.

I have some solutions to this but they require changes across all browsers. Which I don’t really have the time to spend pushing this on the browser vendors.

hm…. maybe a microformat for this…. stay tuned.




By: Mark

2006-08-04T17:50:37Z

Sigh. Been saying this for years. Literally. I have permalinks to prove it. Nobody cares. We publicly disclosed a Bloglines bug that allowed you to construct a web page that autosubscribed a visitor to the feed of your choice. Then we publicly disclosed an entirely separate bug where you could construct a feed that did the same thing (autosubscribe the user to another feed) just by previewing it in Bloglines. Bloglines sat on them for over six months.