RSS Aggregators and their Security

Many RSS readers, news aggregators, or pod-catchers automatically download the information contained in the enclosure field regardless of its file type or source.

An infected feed can include scripts that install malicious software that perform additional executions of pretty much any kind, or they can just steal cookies, for example.

Basically, these exploits are normally read and executed within HTML entities of the RSS feed. The harmful scripts are executed after they arrive on your computer and are read. There’s no way of knowing if you’re reading an infected RSS feed, not right away at least. But still, you won’t know if the RSS feed caused your problem, or not.

Some developers of RSS Aggregators nowadays become more aware of the problem concerning security and have their own solutions, which can improve computer's protection. They have different approaches to it.

FeedDemon uses an editable safelist of file types as well as allowing users to monitor what files are automatically downloaded. FeedDemon also contains hard-coded warnings related to specific file types.

Developers of ByteScout took a different approach to the handling of enclosure files, ByteScout does not automatically download anything without user intervention for each download.

 

RSS Feed and RSS Reader Security Risks

       Anti-malware applications and spam filters are now widely used by nearly all users. Yet digital garbage may still be pouring into your machines from an unsuspected source: RSS and Atom feeds.

       Both feed formats automatically deliver updated news and other types of Web information directly to subscribers' readers and aggregators. But feeds can also be used by hackers to secretly transfer viruses, Trojan horses, worms and various other types of malware. That's because feed suppliers often scoop up content automatically without giving thought to the code's safety. As a result, data — both good and bad — is transferred directly to subscribers' computers.

       Malware, such as bad HTML and JavaScript, can enter the feeds of even well-known and respected RSS and Atom content suppliers when material is pulled in from other sources without first being checked.

       Furthermore, the supplier itself may be a source for yet other suppliers. Such "re-syndication," which exposes content to perhaps millions of computers within just a few hours, makes RSS and Atom feeds a tempting delivery medium for savvy hackers.

What to Do

       Simply banning the use of readers and aggregators isn't a good idea, since the move will deny users access to truly useful content, such as news updates. A better approach is to ensure that an approved reader or aggregator contains tools that can strip away malicious code before it can do any damage.

       There exist some products developed by vendors that are aware of the feed security problem and have taken the steps necessary to address the issue. Microsoft, for example, meets these criteria. According to Microsoft, the company's Windows Vista and Internet Explorer 7 products employ a dual-pronged approach to feed security:

1. Sanitization: The Windows RSS Platform uses several techniques to strip out dangerous JavaScript — and several other variations of malicious HTML — before storing the feed content. 
2. Restricted Feed View: In the event the first step misses an intruder, Internet Explorer's feed view uses a Restricted Zone approach to spot problematic feeds so that no dangerous script in a feed will ever run, even if made it through the previous step.

Main points to know about RSS Aggregators

Information, which everyone should know about 
RSS Aggregators:

1) RSS is an acronym for Really Simple Syndication and Rich Site Summary. RSS is an XML-based format for content distribution.

2) An RSS feed is a set of instructions residing on the computer server of a Web site, which is given upon request to a subscriber’s RSS reader, or aggregator. The feed tells the reader when new material — such as a news article, a blog posting, or an audio or a video clip — has been published on the Web site.

3) Feed Reader or News Aggregator software allows you to grab the RSS feeds from various sites and display them for you to read and use. Some popular feed readers include Amphetadesk (Windows, Linux, Mac), FeedReader (Windows), and NewsGator (Windows - integrates with Outlook). There are also a number of web-based feed readers available. My Yahoo, Bloglines, and Google Reader are popular web-based feed readers.  

4) Google Reader is a Web-based aggregator, capable of reading Atom and RSS feeds online or offline. It was released by Google on October 7, 2005 through Google Labs. 

5) Websites summarize content in an RSS feed. Visitors download an RSS readers. There are generally two different types of RSS readers. The first kind of feed reader is a self contained program, the second kind of feed reader use a web browser. Visitors select the content and summaries they wish to view in a news aggregator or RSS reader. Each time the feed is updated the content being viewed in the RSS reader indicates that there is new content.

6) Atom being a newer format than RSS, not all aggregators are capable (as of February 2004) of reading Atom feeds. If you enjoy using an aggregator that doesn’t understand Atom, but you still want to read websites that syndicate in Atom but not RSS, you can use a tool that converts Atom feeds into RSS feeds, such as Atom2RSS, by 2RSS.  

Will RSS Readers Clog the Web?

        News aggregators may be the best new tools to appear on the Web since the browser, but as the programs and the underlying RSS standard grow more popular, some question whether the Internet will be able to handle the traffic. 

            Aggregators, sometimes called newsreaders or RSS readers, are a hybrid of a Web browser and an e-mail program, allowing Web users to peruse hundreds of information sources. The beauty of an aggregator is that it displays articles from hundreds of websites in one place, so the user doesn't have to pull up the sites individually.

            But some are wondering: What happens when everyone discovers the power of aggregators? Will the Web be able to handle it? In Internet boom-speak, will it scale? 

            Already, aggregators have swamped some sites, slowing Web servers and eating up expensive bandwidth, according to bloggers and other Web publishers. The end may be near, unless something changes soon.

            Some think a solution to the problem might be found by integrating desktop applications into a peer-to-peer network, which would distribute the load among hundreds of clients. A central server would coordinate various readers, allowing some to check the original source of the information and passing on new information.

            Still, the explosion of RSS readers shouldn't overwhelm servers as long as the readers use the right protocol. If implemented properly, the check for new content is an "infinitesimal" burden.

Aggregators and Atom

           Atom being a newer format than RSS, not all aggregators are capable (as of February 2004) of reading Atom feeds. Many new versions of aggregators are, a comprehensive listing of which is available at The AtomEnabled Directory. 

           Some websites produce only Atom feeds and not RSS feeds (most notably those published using the Blogger software), so if you want to read the feeds of these websites, or want to make use of the advantages of Atom feeds, then you would want an aggregator that can understand Atom. 

           If you enjoy using an aggregator that doesn’t understand Atom, but you still want to read websites that syndicate in Atom but not RSS, you can use a tool that converts Atom feeds into RSS feeds, such as Atom2RSS, by 2RSS.

Online Aggregators

I'd like to represent a list of online Aggregators with their advantages and disadvantages:

Bloglines

Advantages:

• all major browsers supported (e.g. Netscape Navigator, Internet Explorer, Firefox)
• user-friendly especially for beginners
• free, web-based aggregator
• easy registration
• no advertisements
• contains its own directory of RSS feeds of thousands of websites
• personal email account for subscribing to newsletter emails (optional)
• allows privacy adjustments for personal blogs
• allows saved searches
• mobile version available
• 10 languages supported
• additional add-on tools for automated blogrolls and subscription buttons

NewsGator

Advantages:

• free (consumer-standard version)
• provides personalized news channel
• allows translation of RSS articles into email format
• synchronization of feeds in several devices possible
• browse and search feed capabilities save time on surfing
• allows keyword filtering
• blog headlines
• button-click automatic subscription to news feeds

Disadvantage:

• Outlook-based thus limited to Windows

My Yahoo

Advantages:

• Free web-based aggregator
• user-friendly
• customizable home page design
• button-click subscription to RSS feeds
• built-in directory and search tool for feeds
• wide variety of feeds e.g. news (science, technology, local), weather
• connects to all Yahoo features and services

Disadvantage

• banner advertisements

There are also lightweight RSS aggregator extensions which are actually plug-ins to existing internet browsers. An example of which is

Sage aggregator

Advantages:

• free of charge
• beginner-friendly
• reeds both RSS and Atom feeds
• allows feed discovery
• can be assimilated to Firefox bookmark (storage and live)
• allows OPML feed lists imports and exports
• customizable style sheets
• supports a wide range of locales e.g. Catalan, Italian, Japanese, Spanish, Korean, Polish, Slovenian, etc.
• easy installation

Disadvantages:

• good for about 12 RSS feeds
• limited use to Mozilla-Firefox and Mozilla-Firefox supported browsers

Aggregators with podcasting capabilities

Aggregators with podcasting capabilities can automatically download media files, such as MP3 recordings. In some cases, these can be automatically loaded onto portable media players (like iPods) when they are connected to the end-user's computer.

Media aggregators are sometimes referred to as "Podcatchers" due to the popularity of the term "podcast" used to refer to a web feed containing audio or video. Media aggregators refer to applications, client software or Web based, which maintain subscriptions to feeds that contain audio or video media enclosures. They can be used to automatically download media, playback the media within the application interface, or synchronize media content with a portable media player.

Recently, so-called RSS-narrators have appeared, which not only aggregate text-only news feeds, but also convert them into audio recordings for offline listening.