Feedly Android app vulnerable to JavaScript injection

By  | 

Feedly Android app is vulnerable to JavaScript injection that could not only compromise privacy of millions of users.

According to a Singapore based security researcher Jeremy S. Feedly’s Android app fails to sanitize javascript code allowing attackers to perform code execution.

“The android app does not sanitize javascript codes and interpretes them as codes. As a result, allows potential attackers to perform javascript code executions on victim’s Feedly android app session via a crafted blogpost”, notes the researcher.

One pre-requisite is that victim should be subscribed to the RSS feed where the attacker injects the malicious JavaScript code.

Jeremy S. discovered the vulnerability on March 10 and reported it to Feedly. The vulnerability was allegedly fixed on March 17, but there has been no confirmation from Feedly as the change logs on Google Play Store for the app doesn’t mention the vulnerability. This indicates that a manual update of the app is the likely option if you want to get rid of the vulnerable app.

An attacker could modify or read cookies, inject tracking codes, temporarily edit web page contents, modify web forms on the device where the malicious RSS feed is accessed through the vulnerable Feedly App.