[liberationtech] FOE - feed over email

Steve Weis steveweis at gmail.com
Mon Mar 14 08:30:18 PDT 2011 

I wrote a blog post outlining these concerns:
http://blog.saweis.net/security-issues-with-feed-over-email

On Sun, Mar 13, 2011 at 7:29 PM, Rebecca MacKinnon <
rebecca.mackinnon at gmail.com> wrote:

> Hi there. A query was posted to the list about this a couple months ago.
> Listmember Steve Weis responded:
> ---
> Glancing through the code, I don't see any circumvention. It relies on
> using a mail provider that supports SSL. That is optional and must be
> configured by the end user (see below).
>
> If a user does not configure FOE to use an SSL email provider,
> everything will be sent in the clear. That is easy to filter and could
> put end users receiving verboten material at risk.
>
> Worse, there is no authentication of message payloads from the server.
> I think I can spoof a message with a malicious payload that will be
> written to disk in the client's RSS catalog (see link below).
>
> This is somewhat moot because it is Windows-only, requires installing
> a client, and no binaries are available for download. That's probably
> a good thing.
>
> A couple issues from a cursory look at the code:
> 1. SSL is not required. Someone using this who didn't explicitly use
> an email provider supporting SSL will be trivial to track:
>
> http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Common/OpenPOP-SSL/POP3/POPClient.cs#444
> 2. There is no authentication of messages from the server. This could
> put clients at risk since they will be saving untrusted content to
> disk:
> http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Client/FoeClientMessage.cs#290
> 3. I suspect the server DB code is vulnerable to SQL injection attack,
> although input might be getting properly sanitized by C#'s SqlClient.
> I will bet a beer that someone can find an exploit:
>
> http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Server/FoeServerMessage.cs#259
>
> Background links:
>
> http://code.google.com/p/foe-project/
>
> http://www.defcon.org/images/defcon-18/dc-18-presentations/Ho/DEFCON-18-Ho-FOE.pdf
>
>
>
> On Mar 13, 2011, at 10:04 PM, Katrin Verclas wrote:
>
> Hi, list -- came across this project:
> http://code.google.com/p/foe-project/.
>
> It claims to: FOE (Feed Over Email) is a new tool that allows users to
> receive RSS feeds from foreign websites without the need to find a working
> proxy server or install any proxy software.
>
> Technically, FOE is built on top of SMTP and work on most email servers as
> long as the user has access to POP3 and SMTP.
>
> Have not checked it out and it's late but wonder whether anyone has
> tested/checked out?
>
>
> Katrin Verclas
> MobileActive.org
> katrin at mobileactive.org
>
> skype/twitter: katrinskaya
> (347) 281-7191
>
> A global network of people using mobile technology for social impact
> http://mobileactive.org
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110314/ec220c78/attachment.html>

More information about the liberationtech mailing list