Attackers could insert SPI Dynamics, said Thursday in a presentation at the here.in content that is transferred to subscribers of data feeds that use the popular RSS ( ) or Atom formats, Bob Auger, a security engineer with Web security company
The problem doesn't affect only blogs--any kind of information feed using any kind of format could potentially be used to transmit malicious content to a subscriber, Auger said. People, for example, subscribe to mailing lists and news Web sites via RSS, he said, noting "this is about the entire concept of Web feeds."
Also, attackers could send malicious code to mailing lists that offer RSS or Atom feeds and commandeer vulnerable systems that way, Auger said. Feeds are popular because they let people consolidate information streams from multiple sites, such as blogs, in one application, called a feed reader, removing the need to surf to multiple sites.
"A large percentage of the readers I tested had some kind of an issue," he said. In his presentation, Auger listed Bloglines, RSS Reader, RSS Owl, Feed Demon, and Sharp Reader as vulnerable.