Hijacking RSS feeds with Feedburner plugin for WordPress

In one of his latest blog posts, David Kierznowski announced a Feedsmith Feedburner vulnerability:

Feedsmith Feedburner plugin for WordPress is vulnerable to a CSRF attack that can allow an attacker to completely hijack blog feeds. In other words, if an attacker can control the Feedburner plugin, it means 100% of traffic will be hijacked [and] can then be used to track all [hijacked] subscriber traffic and usage.

Proof of concept code is located at blogsecurity.net.

According to Mr. Kierznowski, Google responded quickly:

The guys at Google have been great and have just released a brand new version of FeedSmith Feedburner (v2.3).



Share this