Safari RSS vulnerability discovered; simple workaround explained

“Computer scientist Brian Mastenbrook has discovered a fairly serious bug in Safari’s RSS feed handling that can allow a maliciously-crafted web page to access personal information without any knowledge or intervention of the user,” Chris Foresman reports for Ars Technica.

“This vulnerability affects any Mac OS X user that has Safari set as the default feed reader in Safari’s RSS preferences,” Foresman reports.

“The workarounds are fairly simple and straightforward. Mac users need to fire up Safari and go to Safari > Preferences > RSS, and set the default reader to anything other than Safari, even Mail. Windows users can simply use a different browser, though that doesn’t bode well for Safari’s adoption on Windows. Hopefully Apple will release a fix soon,” Foresman reports.

Full article here.

MacDailyNews Note: In Mac OS X Leopard, you can subscribe to an RSS feed in Mail and you’ll know the moment an article hits. You can even choose to have new articles appear in your inbox alongside your latest email messages. Sorting your news is easy, too. Use Smart Mailboxes to organize incoming news articles according to search terms of interest. Mail shares its unread RSS feed count with Safari, so your reading list always stays in sync.

[Thanks to MacDailyNews Reader “Lurker_PC” for the heads up.]


  1. Not great that there is a vulnerability like this. The change was simple enough but it would still be good of Apple to get it resolved… if for nothing else than to stem the bad publicity that is likely to ensue as well as the finger pointing we’ll get from our Windoze buddies.

    Too bad I don’t have 70,000+ fingers to point back!

  2. So far, Mac’s problems have been “theoretical”, rather than “actual”. This doesn’t become an “actual” problem until someone gets bit by it.
    This has nothing to do with Apple getting “larger”, it’s a case of poorly considered code that should have been noticed and fixed before it was released.
    Not entirely certain I want my Safari browser opening anything other than, perhaps, Firefox. Will give that a try. It’s only the RSS, which is mostly “safe” sites.

  3. While it may be a “simple workaround”; let’s not sugarcoat this MDN; this is a major security blunder which is very inconvenient for Mac users (like me) who have always enjoyed the integrated RSS experience within Safari.

    It’s pretty disappointing Apple hasn’t managed to patch this (or would even let the security hole occur.

    We expect better…

  4. MDN has failed to do their homework on this issue, and keep updated on it.

    The original author’s page states:
    “Note: The original version of this page contained a simple workaround for this issue which I believed would protect users against this problem. I have since discovered (on 13 January 2009) that changing the default RSS feed reader application in Safari does not correctly disassociate Safari from all RSS feed URLs. The workaround section of this post has been updated with additional information. I regret that what initially appeared to be a simple workaround is now substantially more complicated and requires the installation of third-party software to perform.”

    Linked from the Ars site that MDN links to.

  5. While it is a serious flaw…why not use Google Reader? By far the best reader out there! Also, Apple does have the occasional problem, before everyone was a fan boy and when they were struggling in the dark times. It just get’s more press now that there is no doom and gloom news.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.