No, ask what Bloglines can do to you

Apparently my parting post when I left Bloglines wasn’t quite accurately titled: you should ask what Bloglines can do to you, and whether you’re willing to put up with it.

The short version, since I do seem to go on: Bloglines doesn’t properly remove JavaScript from on{event} attributes, only from <script> elements, so any post you view is capable of stealing your login cookie, including your email address, and doing anything in the interface, including subscribing and unsubscribing you from any feed, as this sample feed, which will greet you by email address when you preview it, and will unsubscribe you from it (leaving the OPML subscription export in the main frame as a hint) when you subscribe and then view the single item, demonstrates.

The longer version: Four weeks ago today, I ran across some XSS holes in several online RSS aggregators. If you don’t develop websites, you might possibly not know that XSS is the result of combining stuff you know about a user, or will do for a user, with stuff from a third-party source that you don’t sanitize well enough to disable any malicious JavaScript that could steal information about the user, or do things with your site (like changing passwords, adding MySpace friends, or sending 200 computers to East Wherever).

With Google Reader, I cheated and went through a back channel, and heard back in minutes, and saw that the problem was fixed on the live site within three days. With Newsgator Online, I just reported their problem through their web form, hoping for the best. To their great credit, I did get the best: within 25 minutes, Gordon Weakliem replied, first thing the next morning he reported that the fix was going through QA, and within the same three days as Google it was on the live site.

And then there’s Bloglines. I didn’t expect quite the same response as the early days, when Mark Fletcher himself would not only respond to your feedback form submissions, but would have clearly heard and understood them, but then I was reporting a huge and obvious security flaw (the other two were rather obscure and cunning), where the only two possible responses were “already fixed, percolating out” or “oh crap, we’re on it.” When you have people’s private subscriptions and URLs including passwords and their email addresses in cookies, and your entire UI is in JavaScript or accessible from the DOM, there’s just no other sane response.

Somehow, I wasn’t expecting an insane response. I reported it Monday evening, and Thursday morning (only about 12 hours after their claimed 48 hour maximum time to respond) I got a canned

We appreciate that you have brought this to our attention. We have forwarded your information to the appropriate technical department for further investigation, and regret any inconvenience.

reply, and settled in to wait for the appropriate technical department (I thought maybe “programmers” but apparently “janitors” seemed more appropriate to them) to jump into action.

Digression: Bloglines is in the market for a Senior Software Engineer, though the position description doesn’t mention anything about requiring the least bit of familiarity with web application security. It’s been open since 14 October, though it could be the same position that was also posted on 12 September, and the other one posted on 14 October might be a duplicate or a third separate position. However, not one of them mention web application security.

Now it’s been four weeks, with no contact beyond the canned reply and no fix, which is my personal limit for leaving my friends unknowingly exposed to a security vulnerability.

Near as I can tell, Bloglines makes no attempt to avoid XSS at all, other than the whatever of stripping <script> elements (while, oddly and breakage-pronely, leaving their contents). My demo feed is using what’s quite literally the textbook example of XSS, an <img src="not-there" onerror="bad script goes here">, but any other on* attribute seems to work just fine too, and there don’t seem to be any inconvenient things like nonces to get in the way of malicious XSS.

What could it do? Well, steal your email address, change it and your password so you can’t get back in, or unsubscribe you from all your feeds and subscribe you to whatever the attacker prefers, send stuff to your Bloglines-blog, I didn’t try it all but I didn’t see anything that looked like even an attempt at securing anything that you can do by clicking on a link or filling out a form in the UI.

Would it ever happen to you, since you know and trust everyone you subscribe to? Well, that came up clear back at the time of the Great Platypus Attack, and was a horrible way to rationalize being too indifferent to security to even try back then, but now? You know all those search feeds you subscribe to, for your name and links to your blog? The ones that are full of spam that is full of all sorts of crappy broken HTML? If you are depending on the search feed providers to strip dangerous markup before it gets to you, you’re putting your faith in two wrong places. Or, someone could quite easily disguise their hook in the results HTML for a memeoriffic “What Peloponessian War soldier are you?” quiz, since using the event handling attribute to quietly insert a <script src=""> element in the DOM should work quite nicely, and the src doesn’t need to return the real payload unless it’s being called from within Bloglines, just in case someone looks.

And, Mark? If I were you, I’d invest in a feedback form that leads to a ticket system, and enough capable triagers that can send actual replies, and a way of following up on things that aren’t solved by a canned reply, and maybe some more direct contact information somewhere. We really didn’t need to get to this extreme, but the one thing that I’ve noticed that everyone who reports security vulnerabilities has in common is a dislike for being ignored.


Comment by Dorothea #
2005-11-21 16:50:10

Remember the interaction bug between Keep New and Ignore Updated Items? That I posted about back in January?

Not fixed. They’ve added a crapload of new features (one of which highlights THIS PRECISE BUG), but no action on the bug.

Eff it. Just eff it. I’m moving to Gregarius as soon as may be.

Comment by Paul Freeman #
2005-11-29 08:08:46

Yes, I have rehit this bug, and submitted a bug report to them. I got exactly the same response as Phil above. ”passed to the technical team” and then nothing for weeks.

I’m moving to Gregarius too.

Comment by Ryan Wick #
2005-11-21 17:55:03

This issue isn’t really related, or nearly as serious, but it’s an example of something I saw blogged about, and was fixed shortly thereafter by Bloglines. Whether that was directly because of that post or not I don’t know.

Partly because I read your post using Bloglines and partly because I’m a web developer, I want to say thanks for bringing this issue to light.

Comment by Mark #
2005-11-21 18:38:59

Good thing you’re not evil. ”RSS used to propagate viruses” is a bad enough headline. ”RSS used to deliver zero-day rootkits” is much worse. Both are equally possible.

Comment by Stephen Duncan #
2005-11-21 19:31:38

Well, this sucks to find out. I’m really not prepared to use another aggregator… But even if they fix it, they’ll have to prove that they’re capable of taking such things seriously and dealing with them in much more timely manner in the future. Considering the fact that Tim Bray’s Atom 1.0 feed is still nearly unusable in Bloglines, their commitment to fixing things has been pathetic so far…

Comment by Robyn DeuPree #
2005-11-21 20:33:32


We are now very aware of the issue and are working on a fix. I’m looking into why the developers never received your initial report and I plan to take action to ensure such reports are treated appropriately in the future.

Mark also wanted me to tell you he would have responded personally if he weren’t on his death bed with a nasty flu.

Robyn DeuPree
Bloglines Product Manager

P.S. Dorothea, I will look into the update/keptnew interference bug, thanks for bringing it to my attention.

Comment by Phil Ringnalda #
2005-11-21 21:44:30