Personal Data at Risk with Safari RSS Vulnerability

A hole in Safari's handling of RSS feeds could allow an attacker to capture a user's personal information, cookies, or even passwords, Brian Mastenbrook reveals. Brian is credited with discovering multiple vulnerabilities in Mac OS X.

“I have discovered that Apple's Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user's hard drive without user intervention,” Mastenbrook writes. “This can be used to gain access to sensitive information stored on the user's computer, such as emails, passwords, or cookies that could be used to gain access to the user's accounts on some web sites.”

According to Brian, the vulnerability has been acknowledged by Apple. Reportedly, “All users of Mac OS X 10.5 Leopard who have not changed their feed reader application preference from the system default are affected, regardless of whether they use RSS feeds or use a different web browser (such as Firefox).”

Those using Apple's web browser on Windows machines are also affected. However, if they only have it installed, but use a different application to browse the web, Windows users are on the safe side. Thus, the workaround for Windows users is very simple: just use a different web browser (Firefox, Opera etc.). On the Mac side, the situation is a tad more serious. Nevertheless, Mac users also have a workaround for the issue: “Simply set an alternative RSS feed handler,” Brian says. Instructions on how to do that are also provided.

RSS feeders, such as NetNewsWire (free) and NewsFire, are available for download. A reader that complements the Mac's appearance and functionality is Vienna, the open source, freeware RSS reader with support for RSS/Atom feeds, article storage, and management via a SQLite database. Whichever app you choose for the task of fetching you the latest news, remember not to leave RSS feed preferences set to default. That is, not until Apple fixes the issue.