"If the hub supports XML entity expansion (and some implementations clearly do), the attacker could easily create a feed that is minuscule on their end, but would expand considerably when pushed to the victim’s server." Heh. XML sucks for data representation. WhereTF are the NoXML meetings? I'll buy the pizza. Long live JSON. Die XML-scum. Regardless, a lot of these server abuse issues have to be dealt with for any type of server that will be processing untrusted input. - Tracy

"In the meantime, I'm happy to say that I think every issue he points out has already been or can easily be mitigated in the hubs that are out there, the biggest help being automatic subscription refreshing (http://pubsubhubbub.googlecode.com/svn...) which can narrow the window of any attack significantly." http://groups.google.com/group... - Tracy