Feedly fixes Android JavaScript code injection flaw, deems it "harmless"

Share this article:
Feedly fixes Android JavaScript code injection flaw, deems it "harmless"
Even though it fixed the issue, the company did not really consider it a vulnerability.

A flaw that a security researcher said could enable JavaScript code injection in the Android app version of news aggregator Feedly has been addressed, but was also a trifle dismissed by the company as “harmless” and not really a vulnerability.

The bug enables an attacker to inject malicious JavaScript codes through an RSS feed in a Feedly post, the researcher, going by the name Jeremy S., wrote on Saturday, explaining the attack is only possible if the user has subscribed to the feed.

The issue exists because, unlike the web browser and iOS variants of the service, JavaScript codes on the Android app are not sanitized, Jeremy S. wrote.

In images accompanying his post, Jeremy S. showed how a malicious injection payload appears as the JavaScript code in a browser, but then appears on the Android app as a button redirecting to a malicious website.

That could open the door to any number of problems.

“It's a simple matter of [Feedly's] use of embedding a WebView – basically embedding the system web browser inside the app – to render content,” Zach Lanier, senior security researcher with Duo Security, told SCMagazine.com in a Monday email correspondence.

Interestingly, WebViews in Android do not honor and execute JavaScript by default, Lanier said, adding that the developer must explicitly enable the view's JavaScript support.

“What could have happened here is that [Feedly] enabled it deliberately for who-knows-what-reason,” Lanier said. “I don't find that this is a common issue, namely because of JavaScript being off by default in WebViews.”

Olivier Devaux, co-founder of Feedly, told SCMagazine.com in a Monday email correspondence that the issue was fixed instantly within 24 hours of being reported and that he is not aware of any users having been impacted.

“To be honest there is not much the injected code could have done anyway given that it is running in a browser sandbox,” Devaux said. “This blog post was more a catchy headline than a real vulnerability. We are committed to fixing all the issues, even the harmless ones like this one, as quickly as we can.”

Neither Devaux, nor another Feedly spokesperson, responded to follow-up questions on why the company deemed the vulnerability harmless if it could enable redirecting to malicious websites. Jeremy S. did not respond to a SCMagazine.com request for comment.

[An earlier version of this story incorrectly stated that the bug impacts Feedly for Android 19.3.0].
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.