It’s just data

Attack Delivery TestSuite

It is just a matter of time.  One of these days, some hacker will deface a popular site like Engadget.  But instead of putting something visible on the site, they will put something invisible in the feed.

By the magic of syndication, that data will then be distributed like spores to untold thousands of locations.  In the process it will be transported from a relatively untrusted location (like BoingBoing) to a place of equal or greater trust.  Places like popular portal sites, or just perhaps, to your very own hard drive.

From there, it will lie in wait until you check for news.  Invisibly it will spring into action.  You won’t even notice it running.  It will be able to do things that vary from uploading your preferences and passwords to a remote location, to downloading malware onto your machine.  Shortly thereafter, this entry will be marked as read, or scroll off the bottom of your river of news, and you will never know how you just got p0wned.

Last week, SPI Dynamics presented a whitepaper on this topic.  Underreported at the time was the cooperation and dedication that a number of authors of popular feed reader software have demonstrated to date.  Also underreported is the difficulty of reliably detecting the presence of JavaScript in feeds.

As a first step, James Holderness devised 85 tests for Snarfer.  None of these tests attempt to do anything malicious, instead they simply attempt to produce a popup identifying the source of the exposure.  I’ve tried these tests against the latest Universal Feed Parser, and in each case the javascript was either outright removed or otherwise rendered harmless.

Sometime in November (i.e., in about 90 days), and with James’s consent, I will commit these tests as a part of the Feed Parser regression test suite.  At which point, they will be open source, and easy to find by friend and foe alike.

Meanwhile, if you are developing software that consumes feeds, please get ahold of either James or myself and we will share these tests with you.  Contributions of additional tests are also welcome.