Reading blogs could cause your computer to catch a virtual cold, said a leading security expert Wednesday at the Black Hat USA conference.
Internet users who employ Web-based services such as Bloglines or Web browsers such as Firefox to read Web site feeds and blogs are vulnerable to embedded malicious code that can install spyware, log users’ passwords, scan PCs and corporate networks for open ports and more, said Caleb Sima, chief technology officer at SPI Dynamics Inc., an Atlanta-based Web application security company.
So far, only a few proof-of-concept attacks against blog readers from Google and Yahoo have occurred, Sima said, though he believes that more are on the way.
Seemingly random strings of characters such as “<" are often converted by Web sites or blog readers into the "<" character. That signifies a left tag, which tells Web sites and software to treat any text between it and a right tag character as executable code.
Finally, because RSS and Atom readers don’t typically authenticate the publisher of each feed every time they download, they might blindly download feeds sent by an impersonating or infected Web publisher, Sima said.
In the absence of blog readers filtering their feeds, Sima recommends that CIOs and chief information security officers start treating individual PCs as potential attack points.