No, ask what Bloglines can do to you

Apparently my parting post when I left Bloglines wasn’t quite accurately titled: you should ask what Bloglines can do to you, and whether you’re willing to put up with it.

The short version, since I do seem to go on: Bloglines doesn’t properly remove JavaScript from on{event} attributes, only from <script> elements, so any post you view is capable of stealing your login cookie, including your email address, and doing anything in the interface, including subscribing and unsubscribing you from any feed, as this sample feed, which will greet you by email address when you preview it, and will unsubscribe you from it (leaving the OPML subscription export in the main frame as a hint) when you subscribe and then view the single item, demonstrates.

The longer version: Four weeks ago today, I ran across some XSS holes in several online RSS aggregators. If you don’t develop websites, you might possibly not know that XSS is the result of combining stuff you know about a user, or will do for a user, with stuff from a third-party source that you don’t sanitize well enough to disable any malicious JavaScript that could steal information about the user, or do things with your site (like changing passwords, adding MySpace friends, or sending 200 computers to East Wherever).

With Google Reader, I cheated and went through a back channel, and heard back in minutes, and saw that the problem was fixed on the live site within three days. With Newsgator Online, I just reported their problem through their web form, hoping for the best. To their great credit, I did get the best: within 25 minutes, Gordon Weakliem replied, first thing the next morning he reported that the fix was going through QA, and within the same three days as Google it was on the live site.

And then there’s Bloglines. I didn’t expect quite the same response as the early days, when Mark Fletcher himself would not only respond to your feedback form submissions, but would have clearly heard and understood them, but then I was reporting a huge and obvious security flaw (the other two were rather obscure and cunning), where the only two possible responses were “already fixed, percolating out” or “oh crap, we’re on it.” When you have people’s private subscriptions and URLs including passwords and their email addresses in cookies, and your entire UI is in JavaScript or accessible from the DOM, there’s just no other sane response.

Somehow, I wasn’t expecting an insane response. I reported it Monday evening, and Thursday morning (only about 12 hours after their claimed 48 hour maximum time to respond) I got a canned

We appreciate that you have brought this to our attention. We have forwarded your information to the appropriate technical department for further investigation, and regret any inconvenience.

reply, and settled in to wait for the appropriate technical department (I thought maybe “programmers” but apparently “janitors” seemed more appropriate to them) to jump into action.

Digression: Bloglines is in the market for a Senior Software Engineer, though the position description doesn’t mention anything about requiring the least bit of familiarity with web application security. It’s been open since 14 October, though it could be the same position that was also posted on 12 September, and the other one posted on 14 October might be a duplicate or a third separate position. However, not one of them mention web application security.

Now it’s been four weeks, with no contact beyond the canned reply and no fix, which is my personal limit for leaving my friends unknowingly exposed to a security vulnerability.

Near as I can tell, Bloglines makes no attempt to avoid XSS at all, other than the whatever of stripping <script> elements (while, oddly and breakage-pronely, leaving their contents). My demo feed is using what’s quite literally the textbook example of XSS, an <img src="not-there" onerror="bad script goes here">, but any other on* attribute seems to work just fine too, and there don’t seem to be any inconvenient things like nonces to get in the way of malicious XSS.

What could it do? Well, steal your email address, change it and your password so you can’t get back in, or unsubscribe you from all your feeds and subscribe you to whatever the attacker prefers, send stuff to your Bloglines-blog, I didn’t try it all but I didn’t see anything that looked like even an attempt at securing anything that you can do by clicking on a link or filling out a form in the UI.

Would it ever happen to you, since you know and trust everyone you subscribe to? Well, that came up clear back at the time of the Great Platypus Attack, and was a horrible way to rationalize being too indifferent to security to even try back then, but now? You know all those search feeds you subscribe to, for your name and links to your blog? The ones that are full of spam that is full of all sorts of crappy broken HTML? If you are depending on the search feed providers to strip dangerous markup before it gets to you, you’re putting your faith in two wrong places. Or, someone could quite easily disguise their hook in the results HTML for a memeoriffic “What Peloponessian War soldier are you?” quiz, since using the event handling attribute to quietly insert a <script src=""> element in the DOM should work quite nicely, and the src doesn’t need to return the real payload unless it’s being called from within Bloglines, just in case someone looks.

And, Mark? If I were you, I’d invest in a feedback form that leads to a ticket system, and enough capable triagers that can send actual replies, and a way of following up on things that aren’t solved by a canned reply, and maybe some more direct contact information somewhere. We really didn’t need to get to this extreme, but the one thing that I’ve noticed that everyone who reports security vulnerabilities has in common is a dislike for being ignored.

43 Comments

Comment by Dorothea #
2005-11-21 16:50:10

Remember the interaction bug between Keep New and Ignore Updated Items? That I posted about back in January?

Not fixed. They’ve added a crapload of new features (one of which highlights THIS PRECISE BUG), but no action on the bug.

Eff it. Just eff it. I’m moving to Gregarius as soon as may be.

Comment by Paul Freeman #
2005-11-29 08:08:46

Yes, I have rehit this bug, and submitted a bug report to them. I got exactly the same response as Phil above. ”passed to the technical team” and then nothing for weeks.

I’m moving to Gregarius too.

 
 
Comment by Ryan Wick #
2005-11-21 17:55:03

This issue isn’t really related, or nearly as serious, but it’s an example of something I saw blogged about, and was fixed shortly thereafter by Bloglines. Whether that was directly because of that post or not I don’t know.
http://www.mikeindustries.com/blog/archive/2005/10/bloglines-update

Partly because I read your post using Bloglines and partly because I’m a web developer, I want to say thanks for bringing this issue to light.

 
Comment by Mark #
2005-11-21 18:38:59

Good thing you’re not evil. ”RSS used to propagate viruses” is a bad enough headline. ”RSS used to deliver zero-day rootkits” is much worse. Both are equally possible.

 
Comment by Stephen Duncan #
2005-11-21 19:31:38

Well, this sucks to find out. I’m really not prepared to use another aggregator… But even if they fix it, they’ll have to prove that they’re capable of taking such things seriously and dealing with them in much more timely manner in the future. Considering the fact that Tim Bray’s Atom 1.0 feed is still nearly unusable in Bloglines, their commitment to fixing things has been pathetic so far…

 
Comment by Robyn DeuPree #
2005-11-21 20:33:32

Phil,

We are now very aware of the issue and are working on a fix. I’m looking into why the developers never received your initial report and I plan to take action to ensure such reports are treated appropriately in the future.

Mark also wanted me to tell you he would have responded personally if he weren’t on his death bed with a nasty flu.

Robyn DeuPree
Bloglines Product Manager

P.S. Dorothea, I will look into the update/keptnew interference bug, thanks for bringing it to my attention.

Comment by Phil Ringnalda #
2005-11-21 21:44:30

Assuming I’m right in thinking that you haven’t always beaten your wife, it seems like what you need most desperately is regression testing, with a set of evil feeds that shouldn’t do anything and a set of well-meaning but awfully invalid feeds that should still work.

And, as you and I both say, some sort of ticket system to ensure that things passed from one person to another actually arrive and get looked at, not just dropped on the floor.

 
 
Comment by Jason Levine #
2005-11-21 20:39:37

Robyn, it’s nice to see you’ve noticed this thread, but it’s also disheartening to know that it took a thread by Phil to get the attention of people at Bloglines. It would be nice to see a change come of this, the appointment of someone to a position directly facing your users who is in charge of making sure that things like these — security reports, usability bugs, etc. — don’t get ignored while new features get rolled out.

 
Comment by Shelley #
2005-11-21 20:57:27

Yeah, Robyn. You need to hire Scoble.

Comment by Phil Ringnalda #
2005-11-21 21:24:12

Heh. In the Vice President In Charge Of Being Namechecked In Weblogs sense, or the Crazy Enough To Post A Phone Number On His Weblog sense?

Even though I hate talking on the phone more than almost anything else, this morning I actually looked at both the Bloglines contact information and Mark’s weblog for a phone number, and used the lack of either as an excuse to use my bully pulpit as an alternate contact method instead.

 
Comment by Phil Ringnalda #
2005-11-21 21:37:32

Though from what Google tells me now that Robyn reminded me of her name, she’s already doing the Namechecked In Weblogs thing, with ”Bloglines” rather than with someone’s personal name. So what’s really needed is something that comes before the festering wounds explode into pus-filled posts.

Funnily enough, they could have done it with me by making the subject of the canned reply email ”Re: Web Form: [Web] #$rand” — while I won’t reply to a generic email from a generic address with absolutely nothing but my original message below a top-reply to show it’s not an autoresponder, I can convince myself that ”#36827458” means I’m at least a number to them, and a reply won’t just fall in a generic bucket, even if it actually will.

 
 
Comment by Phil Ringnalda #
2005-11-22 00:53:02

Bwahaha. Apparently whoever’s Monday evening I ruined by making them fix the problem (or at least, fix my proof-of-concept) has a sense of humor about it: it’s currently fixed, by changing the onerror attribute to a noerror attribute :)

 
Comment by Tim Bray #
2005-11-22 07:26:06

Gosh, I’ve been complaining for months that Bloglines’ Atom 1.0 support is borked (see http://www.tbray.org/ongoing/ongoing.atom), with zero response. Maybe Phil’s comments is the magic place that Bloglines people actually notice and respond to issues?

Comment by Phil Ringnalda #
2005-11-22 08:46:45

No, I don’t think it’s nearly as simple as that. Stephen’s comments are where your Atom issue gets noticed and responded to.

A combination of firefighting in comments, having a ”news bloggish thingy” that lacks permalinks, and another actual blog that combines very infrequent posts of interest to Bloglines users with posts of absolutely no interest to them, is either a cunning strategy to coast below the radar, or a sign that someone really needs the time to sit down and think about how Bloglines communicates.

Comment by Aristotle Pagaltzis #
2005-11-22 09:59:08

One would have hoped that either Tim Bray’s complaints or Norman Walsh’s report or Anne van Kesteren’s lambasting in isolation would be sufficient to get them to wake up.

Instead they have to be caught sleeping on guard duty and be pilloried for it before anything happens. Sheesh.

 
 
Comment by Paul #
2005-11-22 08:56:06

Tim,
Maybe its because you don’t allow comments on your webblog.

 
 
Comment by Sander #
2005-11-22 14:14:45

Heh, I found a variant of this, uhm… *searches through old email* – 18 July 2005, while trying out how a new Atom implementation was handled. Got the canned response on the 20th, and that was it.

*goes check* Yup, the problem is still present. Subscribe to http://juima.org/otherstuff/test/bloglines_test.xml in bloglines. *waves hands to attracts Robyn’s attention*

(And while I’m responding anyway, while checking up on the state of non-successful comment spam on my site, I noticed that you’d started a reply to one of my posts where I mentioned this, yet not finishing it – have I set the barrier to commenting too high with the required registration?)

Comment by Phil Ringnalda #
2005-11-22 14:57:11

Sweet, tagline! I would have gotten there eventually, but not for a while yet :)

Yes, I’m afraid the barrier’s too high: offhand, I’d guess I’ve started to comment or thought about commenting four or five times, but I don’t remember if I’ve registered or not, or what I would have used if I did register. You’re interesting to me, and you talk about interesting things, and that’s important to me, but, you’re one of 435 people (well, some of those are things) in that class: if you make me go fumbling through unpw.txt looking for registration info, I’ll start thinking about other places I could say the same thing.

Comment by Sander #
2005-11-22 15:09:19

has the same problem, according to my email to bloglines.

Noted on the too high barrier – will ponder alternatives. (I just rely on Mozilla/Firefox/SeaMonkey to keep track of all my non-critical passwords, so I probably think more lightly of adding yet another registration.) And for the record, you haven’t registered yet. :)

Comment by Sander #
2005-11-22 15:10:12

Err, that’s <title>

 
 
 
Comment by Phil Ringnalda #
2005-11-22 22:08:11

Oooh, double word score for you: your ”this could be evil” alert shows up on the first subscribe page, without needing a preview or a subscription, which means that it could be awaiting any logged in Bloglines user at the far end of any tinyurl (or, any other URL, since absolutely anything might redirect to blogslines.com/sub?url=…). No need to inject yourself by splogging and hoping to be picked up in search feeds, when you can just do the sort of semi-innocuous comment spamming where the owner has to follow your link to see whether or not you are a spammer, at which point you redirect, and Fish on!

Comment by Sander #
2005-11-23 04:15:25

Ooh, I hadn’t seen that it was a GET on the subscribe form so that you could link directly to that page. (And of course I’d failed to investigate the ”easy subscribe” option.) Yikes, yeah, that’s getting truly evil.

Comment by Sander #
2005-11-23 17:15:21

Nice, it’s been fixed. To whichever bloglines engineers worked on this: I’m glad it didn’t ruin your thanksgiving.
(Note to self: check behaviour for <title type=”(x)html”> e.a.)

Comment by Phil Ringnalda #
2005-11-23 22:46:27

I was feeling pretty bad for a while about my inability to inject any more script: all the combinations of title and description/tagline seemed closed, and they’d taken away my events in the item body itself. I thought.

unsub.xml now has another item, with an IE-only (sometimes it’s a good thing that Doron didn’t really finish Gecko’s <marquee> implementation) injection that then suggests that you subscribe to a new feed, with another seven IE-specific injection events.

To a certain extent, I understand their approach of changing specific instances of ”on” followed by particular characters into ”no” followed by those same characters, rather than doing what I would do and change or just remove every attribute that starts with ”on” whether or not I recognize the name, so they don’t have to worry about someone putting something funky before the ”on” (rumor has it you can put some control characters there, or even inside attribute and element names, and have them ignored), but I don’t get wtf is up with not covering everything in the two main lists, Gecko and IE, that took me five seconds to look up, and not much longer to discover what wasn’t being neutralized (including several more that I haven’t (yet) figured out how to fire, or can’t fire: I don’t think anything but a window can hook Gecko’s onpaint).

Then once we get done with those, we can move on to script injection through CSS, of which I already have one working and several more ideas. I may need to jump back out to the root threading level, before it gets too narrow down here.

Comment by Mark #
2005-11-24 06:57:56

The marquee hack is truly inspired.

 
Comment by Sander #
2005-11-24 09:03:03

Oh well, if you’re gonna be evil like that
Preview this: http://juima.org/otherstuff/test/bloglines_test13.xml (Garbage in, security problem out.)

Wouldn’t be surprised if the same technique could be applied at the sub? step as well.

Comment by Phil Ringnalda #
2005-11-24 11:22:05

Mmm, tasty! A very nice answer to the question ”But why do I need to only whitelist those things I’m sure I want, rather than blacklist the things I know I don’t want?”

 
Comment by Mark #
2005-11-29 21:49:50

Here’s a feed that (in IE/Win) will execute arbitrary JavaScript on the Bloglines subscription confirmation page (i.e. the page you get when you click ”Subscribe” the first time, but before you actually subscribe).

style-in-link.xml

This is bad because this page can be included from anywhere, and the JavaScript can (probably) auto-submit the form. Thus, if an attacker can get you to view a web page, they can (probably) automatically subscribe you to a particular feed. This might also work with HTML emails, although I don’t know if the proper Bloglines authentication cookies would be sent if the page was loaded from an IFRAME within an email client. But I’ve learned never to underestimate the power of integration between Outlook Express and IE, so very little surprises me.

Comment by Mark #
2005-11-29 22:03:10

For reference, setExpression on MSDN documents the totally wacky expression property in IE. ”There is no public standard that applies to this method.” Hey, thanks for that. (Yeah, I know Mozilla has its own non-standard crap too, but equating them is a logical fallacy.)

Comment by Phil Ringnalda #
2005-11-29 22:59:31

The page I really want is the one that explains how to alert() in an expression without getting caught in an infinite loop of alerts: I never got around to finishing my expression hack, because I got so distracted and frustrated trying to get just one alert, instead of an endless stream until I killed iexplore.exe.

But, major bonus points for that truly :evil: use of http://&lt;style>

Comment by Mark #
2005-11-30 00:07:44

You can do the same thing with script tags too. Not sure how I got stuck on the style+expression path of inquiry. And regular script tags have the advantage of working cross-browser. This link, for example, takes you to a web page which automatically subscribes you to a feed without your consent. (For reasons that are not clear to me at 3 AM, the entire page ends up visibly redirecting instead of Bloglines staying in the invisible IFRAME where it belongs. Not sure if there’s some .htaccess judo on their part, or if I’m just stupid.)

Let’s back up a second. A web page which automatically subscribes you to a feed without your consent. That seems… bad.

Comment by Phil Ringnalda #
2005-11-30 00:36:02

My three hours earlier, but still late, thought would be that it’s because of the form’s target="_top", which you could just remove before you submit the form.

Somewhere else (and I can’t believe I can’t remember where) earlier tonight I was talking about RSS worms: it’s just a shame that probably essentially nobody subscribes to other people’s Bloglines-hosted blogs, because that would be such a nice way to propogate.

Comment by Mark #
2005-11-30 12:52:16

I tried that and couldn’t get it to work properly (it still visibly redirects the parent page), but I don’t really know anything about target attributes or iframes, having never used them for anything useful or legitimate.

On the topic of ”I can’t find any other ways to inject script,” you should really try harder. Bloglines doesn’t actually generate a page of HTML for your news items; it generates a lot of gnarly JavaScript strings that write out the HTML later. JavaScript has lots of weird quirks; one of them is that a ”</script>” immediately ends the script, even if it occurred within a string.

Combine that with the fact that Bloglines doesn’t strip ”</script>” from URLs, and you can generate a malformed link that breaks out of the script that Bloglines is executing and add arbitrary HTML content (including script, or iframes, or other allegedly sanitized elements) at that point in the page.

test case

 
 
 
 
 
 
 
Comment by Phil Ringnalda #
2006-01-12 02:08:14

Bah. Martijn just got loop checked in, though he left onfinish for another bug, so we may still get to look down on IE for another three or four years.

Comment by Phil Ringnalda #
2006-01-23 15:39:51

Or, maybe not.

 
 
 
 
 
 
 
Comment by Anil #
2005-11-22 17:21:52

”Heh. In the Vice President In Charge Of Being Namechecked In Weblogs sense, or the Crazy Enough To Post A Phone Number On His Weblog sense?”

I see I am missing one of these appellations. In the interim, I’d just like to lament that I can’t even take glee in others’ poor communication anymore. Once you’ve been called out on the other side, it just takes all the fun out of it.

Oh, for the days when I could just flame people and/or legitimately call them out! I’ve gotten soft in my old age. Help me, Phil. Guide me back to a time when I could inspire f8dy-signed comments with just a simple blog post.

Comment by Shelley #
2005-11-22 20:02:02

Hi Anil!

 
Comment by Phil Ringnalda #
2005-11-22 22:20:19

That does sound like it has comedy potential: my version of one of those ”The (7, 9, 10, 11, 15, 21) Things That Will Make You An A-List Blogger Getting Scoble-Love All Night Long” lists could be fun, if I had the attention span for that sort of writing.

8. Curse the darkness. It’s not just stupid and lazy, it’s doing it just to piss you off.
9. Is that a bridge? Spark that puppy up, that’ll take care of any darkness problem!

But, really, aren’t you lost to us? Have you forgotten that first day of orientation at 6A, when they packed your mouth with baking soda to neutralize any lingering acid tongue? When you mildly chided Google and IMDb, didn’t you think for a second about whether Google might decide they need to own more blogging companies, or IMDb might decide they need to turn into IMblogs? I’m sure it was a very good decision for you, but one of the things you gave up was the chance to be an asshole any time you feel like it.

 
 
Pingback by 79 Decibels - : #
2005-12-04 17:04:20

[…] The poor response to a security hole in Bloglines has left a sour taste in my mouth. I’ve stopped using it in favor of just using something that runs on my web-server. At least this way I can peak through the code and lock it down if need be. Kudos to Bloglines for at least offering an easy way to export feeds, I do appreciate not being locked-in. […]

 
Comment by Sander #
2006-01-10 15:34:43

Phil, have you been in further contact with bloglines on any of these remaining vulnerabilities?
I’ve been seeing quite a lot of requests for my example file, and am at this point starting to get worried that someone actually malicious is piecing all this information together. I even sent bloglines another message, but all I got was a stupid automatic response. (Even though this time it was a response that included a ”incident tracking number”; is that progress?)

Comment by Phil Ringnalda #
2006-01-11 09:52:54

Nope, haven’t heard from them, but then I also haven’t reported anything else to them. I assumed that they would keep track of this thread, but it may be that they didn’t bother. But, a tracking number, real or fake, is certainly progress.

 
 
Comment by Ben Lowery #
2006-04-14 11:35:40

Hi Phil,

The various security issues presented in this thread have been addressed and fixes have been pushed out to the production site. Please let me know if you find any problems with the fixes, or if you find more issues.

Thanks,

Ben

 
2006-05-04 20:25:54

[…] In addition to Bloglines’ inability to make a sane feed reader, there are also very serious unresolved privacy problems, security problems and specification compliance problems. […]

 
Name (required)
E-mail (required - never shown publicly)
URI
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <del datetime="" cite=""> <dd> <dl> <dt> <em> <i> <ins datetime="" cite=""> <kbd> <li> <ol> <p> <pre> <q cite=""> <samp> <strong> <sub> <sup> <ul> in your comment.