14 DAY TRIAL // Google is again involved in security advisory as the way it handles the RSS auto-subscribe functions might bring some unauthorized traffic to malicious websites. The security flaw was discovered by Patrick Altoft from BlogStorm who wrote that almost any page is able to exploit the vulnerability in a matter of seconds. Let me explain you how it works: you surely saw at least one button placed on the websites that require you to click on it in order to receive feeds straight in your Google account. Usually, when you click on the button, Google asks you if you want to read the feeds in Google Reader or in iGoogle with a special gadget.
Well, a successful exploitation of the vulnerability makes the function not to ask you this and automatically subscribe to both Google Reader and iGoogle. This way, any website can record an increase of the readers' number that usually means more traffic and obviously more money. According to the report, the vulnerability can be easily exploited by placing a special code into their content.
"The problem is that unscrupulous websites can copy the links to Add to Google homepage or Add to Google Reader and open them up in an IFRAME for every visitor, meaning that anybody who visits their website while signed in to a Google account will suddenly have subscribed to the RSS feed on both Google Reader and the Google homepage automaticall," Patrick Altoft wrote.
Some users sustain the vulnerability was already fixed by the folks from Google Reader but Patrick Altoft sustains it is still available and exploitable by any bad-intended website. "Well, I was going to mention it to the Reader team, but it sounds like they've already responded. Cool," Matt Cutts, a Google engineer, wrote as a reply to the BlogStorm post.