6

I'm trying to encourage an organization to fix their RSS feed, which has numerous problems with the way quotes and tags in the source text are displayed in feed readers. I'd like to be able to tell them that their feed constitutes a security risk for readers, because I think that might get their attention.

Here are a few of the issues I've documented:

  • spurious extended characters
  • pieces of random HTML markup
  • missing characters, including entire paragraphs at times
  • quote characters almost never appear (especially apostrophes)
  • missing spaces between words

Sometimes a post will be so messed up that I get page after page of garbage.

I've tested several feed readers, on Windows and Mac systems, and the problems appeared in all tests. The same material looks fine when viewed on the source page.

Assuming the answer is yes, how might the risk affect users?

Improve this question
2
  • Yes is the answer. Do you want more info? If so, please edit your question.
    – Neil Smithline
    Commented Dec 21, 2015 at 15:24
  • 1
    page after page of garbage = failure to deliver content correctly = loss of integrity and availability = security risk. Potentially additional consequences.
    – MCW
    Commented Dec 21, 2015 at 16:53

2 Answers 2

Reset to default
3

Malformed HTML, due to what you're describing where people are able to inject tags into the feed, can place users at risk of quite a few things.

  • pieces of random HTML markup
  • missing characters, including entire paragraphs at times
  • quote characters almost never appear (especially apostrophes)
  • missing spaces between words

This is the result of input sanitation, which is inherently insecure, buggy and not worth anyone's time, plus the lack of prepared statements, meaning the web application is vulnerable. Output sanitation is the answer here.

Let me repeat Mark C. Wallace, "page after page of garbage = failure to deliver content correctly = loss of integrity and availability = security risk. Potentially additional consequences."

Assuming the answer is yes, how might the risk affect users?

This is a really dangerous problem How can it affect users? There are multiple ways:

  1. Injection of malicious javascript, flash, java, etc., into your user's pages.
  2. Injection of content that directs users to malware websites
  3. Injection of code tags into your client's website: <% %>, <?php ?>, etc., which allows for a full breach of pretty much everything.
Improve this answer
3

By itself, malformed HTML is probably not placing their users at risk of anything other than developing an aversion to an amateurish, ugly feed. It's probably caused by an automated Word-to-HTML or PDF-to-HTML converter, but by themselves those won't create risk for their readers.

Do they include user-submitted data in their feed? If so, they could subject their users to a CSRF or XSS attack. Or they might be susceptible to script injection. But if so, those could be vulnerabilities regardless of whether or not the rest of their HTML is well formed. The fact that they don't test their feeds or care about their image may give their clients the impression they don't care about other issues such as security or data safety; but it's not proof of negligence.

Don't use 'security' as a stick unless you have more concrete evidence of a vulnerability. Instead, let them know their company image is coming across poorly. When you raise the stakes, you could say "if you don't care about this, why should I believe that you care about other things, like the safety of my data?" If they still do nothing, I suggest you look elsewhere for your source of topical news. There are millions of other web sites, some of which might serve you better.

Improve this answer
3
  • They don't seem to include user-submitted data, but there are multiple authors, whose aptitude seems to vary. Some authors include HTML and other code in their posts, and that code is sometimes related to exploits (it's a security blog). There doesn't seem to be an editing or approval process. It does look like there's some kind of conversion being used as part of the posting process, but it's not at all clear what that is. I'm looking at security as a stick because pointing out the potential image problem didn't work. The feed validates; maybe validators don't test for these issues.
    – boot13
    Commented Dec 22, 2015 at 9:34
  • Then yes, they may be only a blogger's mistake away from creating a security problem for their readers. But that may be unrelated to the display problems with quotes and random markup, other than a general lack of concern for what they're publishing. What you see may even be the result of an app automatically sanitizing the blog posts and attempting to neuter the exploits being presented.
    – John Deters
    Commented Dec 22, 2015 at 17:56
  • As for getting my news elsewhere: I'd happily do that, but it's not just an ordinary news site, it's a high profile security-related site.
    – boot13
    Commented Dec 23, 2015 at 11:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .