Recently, Rob, I and a friend of ours - Clive - were chatting about the possibilities of cross-site scripting vulnerabilities brought about by the vast number of RSS syndication systems floating around.

The following is an unguarded <script> directive. If you’re reading this on my blog then it will, naturally, display. However if you’re reading this entry via some syndication, then it may not.

If the above bullet point contains no text; you’re probably safe. If it contains a pile of escaped HTML indicating a javascript script; you’re probably safe. If it consists entirely of a strongly formatted message about unhidden script tags then your syndication system passes javascript through seemingly unmolested. In the last of those cases you should worry if your aggregator is private in any way because goodness knows what damage could be done by javascript running in the security context of your browser when viewing your rss aggregator (especially if this is livejournal and you’re logged in).

If we’re wrong then all our fears are unjustified and I’ll get a raft of people complaining about me scaremongering. If we’re right to be worried though then people will disover that their RSS aggregators have at best nothing to worry about and at worst a great big gaping scary security hole of doom. Let’s hope our fears are unjustified.

Update: We have checked and Livejournal seems to be nicely immune to this kind of attack so kudos to those guys for being switched on

Comments on this page are closed.