RSS is growing at a lightening speed. What was once only

known as a "techie tool", RSS is becoming a tool that is

continuously being used by the general population. Along

with the good comes, the not so good. And while some have

mentioned the emergence of RSS spam, where content

publishers dynamically generate nonsensical feeds stuffed

with keywords, the real concern relates to security. While

an annoyance to the search engines, spam in RSS feeds pales

in comparison to the possible security concerns that could

be in RSS' future.

Security Implications Related to RSS.

As RSS gains momentum security fears loom large. As

publishers are quickly finding innovative uses for RSS

feeds, hackers are taking notice. The power and

extendibility of RSS in its simplest form is also its

achilles heel. The expansion capabilities of the RSS

specification, specifically the "enclosure" field which has

launched the podcasting phenomenon, is where the

vulnerabilities lie. The enclosure field in itself is not

the problem, in fact the majority of RSS feeds do not even

use the enclosure tag. The enclosure tag is essentially used

to link to file types, things like images, word documents,

mp3 files, power point presentations, and executables and

can be thought of in similar terms to email attachments.

The fact that RSS can be used to distribute these file types

has opened a myriad of doors to users of the syndication

standard, but also has created cause for concern. Most

people do not feel that the risk is significant because

people "choose" the content that they receive, and while it

might make the distribution of malware, viruses and spy

applications via RSS less prevalent, their is still the

inherent risk of a infected file being distributed.

The problem is one of both technology and lack of education.

The danger lies in the fact that many RSS readers, news

aggregators, or pod-catchers automatically download the

information contained in the enclosure field regardless of

its file type or source.

Most RSS developers acknowledge the risks associated with

the enclosure field, but few have had the forethought to

include filtering, screening or authentication capabilities

and many automatically download enclosures.

Nick Bradbury of Bradsoft/NewsGator seems to be proactive,

designing FeedDemon with security in mind. FeedDemon uses an

editable safelist of file types as well as allowing users to

monitor what files are automatically downloaded. FeedDemon

also contains hard-coded warnings related to specific file

types.

Developers of ByteScout took a different approach to the

handling of enclosure files, ByteScout does not

automatically download anything without user intervention

for each download.

Unfortunately, not all RSS readers, aggregators and

podcatchers consider the possible security implications

associated with RSS feeds and podcasts, some will

automatically download enclosures without warning or any

thoughts of security. Be sure to examine how your RSS reader

handles files contained in the enclosure field of an RSS

feed.

With the increased use of RSS and podcasting, the security

risks increase with it. Their is cause for concern, however

proactive users and conscientious developers can easily

subvert the risk by taking precautions seriously. Computer

viruses and malware are cause for legitimate concern, there

is ample time and action that can avert potential problems.