Protection against Browser Hijack from weird Techcrunch RSS feed

James_Pain · October 15, 2021, 9:36pm

A couple days ago, when browsing through my Newsblur, I was being spontaneously redirected to a dodgy site. Looking into it, it seems the RSS is loading an iFrame which is triggering a URL load for the parent browser with a bunch of my meta data in the URL params.

Turns out, I added the Techcrunch RSS by putting the plain website into the ‘Add a new site’ and choosing an autocomplete option. I don’t know if it’s changed since, but the feed URL for it in my Newsblur is now (DO NOT CLICK) TechCrunch (DO NOT CLICK).

This is obviously malicious, and the feed shouldn’t be trusted any more so I’ll remove it. However I’d like to see some kind of protection in Newsblur to strip iFrames or even arbitrary Javascript, and perhaps protect against malicious feeds.

I have a screen recording of the recreation which I can give to you privately, Samuel, if you want it.

samuelclay · October 15, 2021, 9:34pm

Oh interesting, I subscribe to that feed as well and I didnt see it because I had the stories hidden. I’ll fix this one off, but as for future protection, I sense a growing need to have something. We strip most everything from RSS feeds except iframes, where we explicitly allow it. It does offer protection against your data, even though it does force that icky redirect, but the offending website can’t access your data.

Here’s the code that allows for iframes:

github.com

samuelclay/NewsBlur/blob/master/utils/feed_fetcher.py#L34


from apps.reader.models import UserSubscription
from apps.rss_feeds.models import Feed, MStory
from apps.rss_feeds.page_importer import PageImporter
from apps.rss_feeds.icon_importer import IconImporter
from apps.notifications.tasks import QueueNotifications
from apps.notifications.models import MUserFeedNotification
from apps.push.models import PushSubscription
from apps.statistics.models import MAnalyticsFetcher, MStatistics

import feedparser
feedparser.sanitizer._HTMLSanitizer.acceptable_elements.update(['iframe'])

from utils.story_functions import pre_process_story, strip_tags, linkify
from utils import log as logging
from utils.feed_functions import timelimit, TimeoutError
from sentry_sdk import capture_exception, flush
from qurl import qurl
from bs4 import BeautifulSoup
from mongoengine import connect, connection
from django.utils import feedgenerator
from django.utils.html import linebreaks

But I’ll fix this site and get the main TechCrunch feed url back to normal. Thanks for letting me know!

richard4339 · October 18, 2021, 5:04pm

Did you get the feed itself fixed? https://newsblur.com/site/12/techcrunch is still definitely the hijacked feed. I’m starting to think they hijacked the actual Feedburner feed. The correct URL now looks like it should be https://techcrunch.com/feed

samuelclay · October 18, 2021, 7:42pm

Thanks for reminding me, just fixed the feed as well.