Software Engineering Institute

Google Reader is an online RSS feed reader. It can display text and images when displaying RSS feeds.

Google Reader contains a cross-site request forgery (XSRF) vulnerability that could be used to prevent a user from logging on to the service.

The Google Reader logoff button can be represented as a hyperlink. An attacker may be able to execute this link by supplying it as an image source in a malicious RSS feed. Once a user subscribes to the RSS feed, they will be unable to login to their Google Reader account.

Note that an attacker would have to convince a user to load a malicious RSS feed to exploit this vulnerability.

A remote unauthenticated attacker may be able to prevent a user from logging in to Google Reader.

We are currently unaware of a practical solution to this problem, however the following workarounds may help mitigate the vulnerability.

Do not load images from third party sites

Preventing third party sites from loading images in your web browser may mitigate this vulnerability. See the references section of this document for information on how to block images in specific browsers.