I study the problem of the secure web feeds since some weeks. I read a surprising post that talks about the Gmail Atom feed service used with Bloglines this morning. An idea came up in my mind while reading the post: it is not possible… can I really have access to login and password of people that subscribe to “secure” web feeds that use SSL and HTTP Authenticate with Bloglines? The answer is sadly: Yes I can.
The problem is that to use the Gmail Atom service in Bloglines, you need to build your feed’s URL like this: https://USERNAME: [email protected]/ gmail/feed/atom, to provide the user and password to the feed’s server.
All the problem is there: you have the username and the password in plaintext directly in the URL.
The first thing I then checked is if I was able to find such strings in online aggregators such as Bloglines. There is the answer:
Why do I have access to these URL? Probably because the Bloglines profile of these users are public and not private.
Then I tested if I was able to have access to these users and passwords by subscribing to the SSL and HTTP Authentication test feed on the silverorange project with Bloglines. I created two Bloglines profiles: one that the profile (Jim) and his blogroll are public and another (Todd) that will check the blogroll of the first account. The scenario goes like this:
1. Jim subscribes to a new SSL and HTTP Authentication protected feed with Bloglines. His profile is public and he does not know the consequences of what he is doing. The address he subscribe to is:
https://testuser:[email protected]/rsstest/
httpauth/rss_with_ssl_and_auth.xml
2. Todd discovers the public profile of Jim and checks his blogroll. He is lured by an entry called “Test Feed (HTTP Auth, SSL)” he checks it, likes it and subscribes to it. Then Todd see this Bloglines page:
3. Todd check more closely to this Bloglines page and remark:
Todd just discovered the user and password of a “secure” web feed. Basically he was not able to see the complete URL of the feed because it is viewable in the Bloglines system as: http://www.bloglines.com/preview?siteid=1830560. However, by subscribing to it, Bloglines shows the complete URL of the feed to the subscribed users.
This is just a test I performed with a SSL and HTTP Authentication RSS test feed available on silverorange.
Now, think about the consequences of this situation when users subscribe to Gmail or any other “secure” web feed using SSL and HTTP Authentication? The problem is real and could have many undesired consequences.
The best thing to do is not using such feeds in online services like Bloglines. Even in stand alone software it could be unsafe. I pointed out a week ago why I do not like this strategy to handle the problem of secure web feeds. This is a beautiful example of the potential problems it can lead to. You can read my article on the problem and the proposal of a solution here: Secure Web Feed Protocol.
This experience is a good example of the potential security treats that can appears when more than one system start to interact together.
Greg Reinacker
May 14, 2005 — 7:46 pm
FYI, NewsGator Online has explicit support for feeds that require authentication, and you do NOT need to put the credentials in the URL as described here. In fact, you should definitely NOT put credentials into a URL, for the reasons you describe here and others. Just wanted to correct the point about NewsGator, though…since we have explicit support for authenticated feeds. ๐
Fred
May 14, 2005 — 7:46 pm
Hello Mr. Reinacker, Thank alot for this comment. My point is not really to target any service. The point is to try say to users: wait, do not do everything without asking question… it’s sure that this new technology is really cool but depending how you use it, you could have some security/privacy problems. Salutations, Fred
John Fuller
May 14, 2005 — 7:47 pm
http://www.kbcafe.com/iBLOGthere4iM/?guid=20041117223055 Another variation. In this case I did not have to subscribe to get the user name and password. Don’t remember much of the details because this was discovered in November. I posted this on my weblog at the time but have since taken it down. You can find the info at the above mentioned address.
Mark Fletcher
May 15, 2005 — 7:47 pm
Thanks for the comments. We hide any feed that has a username/password encoded in it. There was a bug that would cause some HTTPS feeds like this to show (which you saw), but that has been fixed. Also, password protected feeds are no longer displayed in the public display of someone’s account.
Fred
May 15, 2005 — 7:48 pm
Hello Mr. Fletcher,
I knew that you would handle the problem and it’s what you done, thank.
However, this is a beautiful example of the security threats that could rise when more than one systems are using together (and that are not necessarily build to interact together). It’s the responsibility of everybody to be aware of the risks, specially the one of users.
If we have one thing to remember of this story, I think it would be this.
Take care,
Salutations,
Fred
Dan W
May 16, 2005 — 7:49 pm
Fred – I think the reason behind Greg’s post was because you’ve explicitly named Newsgator in your article, thus suggesting that they have the same problem as Bloglines. It certainly sent me scurrying off to Newsgator to make sure my password wasn’t being exposed (which its not, just to confirm what Greg’s saying). If your point is “not really to target any service” then it might be worth editing the article to remove the suggestion that Newsgator has the same problem. Credit where credit is due, they’ve had the foresight to implement a more robust solution here. Cheers, Dan.
Fred
May 16, 2005 — 7:50 pm
Hello Dan,
Thank a lot for the remainder! I was not at home yesterday and forgot to change it (I can’t change it without having access to my laptop with Radio). You are completely right and it’s my error, sorry. It’s done.
Salutations,
Fred
Dave
May 17, 2005 — 7:50 pm
I found this in bloglines about 6 months ago, and wrote to Bloglines, GMail, and Nick Bradbury (of feeddemon / topstyle fame) about this. The reply I recieved was similar to yours, buit the GMail team said this was only due to some people using custom python/other scripts. They summed up saying the issue had been resolved, but clearly, 6months on, it hasnt.
Fred
May 17, 2005 — 7:51 pm
Hello Dave,
I had really good feedbacks from Bloglines and NewsGator. So, as said up there there is no know problem with the NewsGator system. It seems that there was a bug in Bloglines that they will arrange soon.
I didn’t send any emails to GMail and I’m not expecting to receive any. I understand that this is not their problems. Why? Because they only give a service to their users. They don’t really care of how their users will use it. It’s understandable. Is it the good philosophy? It’s another question… the security field is young in computer sciences and the responsabilities are not well known.
Salutations,
Fred