Article:		Putting RSS to Work: Immediate Action Feeds
Subject:		malicious actions
Date:		2005-12-14 20:07:26
From:		Daniel_Kang
what about hijacked rss feeds with links causing harmful actions? Is there a possiblity for a perversion of this system you call Immediate Action Feeds?

Previous Message

Next Message

• malicious actions
  2005-12-14 21:00:30 mwoodman
  
  Great question. It is absolutely possible. If a feed can be hijacked, then anything within can be corrupted... whether or not it contains immediate action items.

  
  There are a number of anti-hijack efforts going on, so the ultimate solution for the problem neither begins nor ends here. That being said, it is important to be very careful about providing action items which alter application state without some form of authentication. This boils down to either authenticating after the click (like eBay's "Watch this Item") or before the click with a secured, authenticated feed.

  
  Another potential safeguard is the use of a one-time security token as part of the action item. This article, "Generating One-Time URLs with PHP" describes one approach: http://www.onlamp.com/pub/a/php/2002/12/05/one_time_URLs.html