RSS Feeds May Pose Security Threat

What is one of the latest security threats? RSS feeds. Apparently an attacker could try to insert malicious code in the form of Java Script into any RSS feed. The threatening code can be delivered to a user’s PC in three main ways. A blog can be set up for the distribution of the malicious code. (Meaning it’s a fake blog offering an RSS feed loaded with malicious JavaScript. When the users subscribes to the feed, the virus is invited into their machines.) Also, the malicious code can be inserted into the comments features of a legitimate blog so when the subscribers receive their news feeds with user comments, they get the malicious code too. Or, malicious code can be inserted into mailing lists that offer news feeds.

Of course, you do have to subscribe to RSS feeds to be at risk but any old RSS feed can be a threat, regardless of the content source. This means any online publisher, not just bloggers, utilizing RSS feeds can be at risk for infecting their customers. If the malicious code enters the RSS feed from the publisher’s site (e.g. the code is added into the comments feature of a blog entry and the publisher doesn’t prevent it), then those harmed by the code may seek to hold the publisher responsible for financial losses resulting from the hacker’s attack. If the malicious code enters the RSS feeds from a mailing list or other third party source, the online publisher may not be responsible for its customers’ financial losses but can still incur defense costs to determine where responsibility lies.

Securing insurance coverage for “failure to prevent introduction of malicious code” (or similar language) is one solution for protecting against this new security threat. Ask your underwriter to endorse this protection onto your client’s media liability policy if the standard form doesn’t already contain such language. Some companies may not offer security protection for their media insureds as readily as they do for their internet or tech insureds. But clearly they should. For more on security threats and coverages, review the Security section of our blog.