Feedly fixes Android JavaScript code injection flaw, deems it "harmless"

Share this article:
Feedly fixes Android JavaScript code injection flaw, deems it "harmless"
Even though it fixed the issue, the company did not really consider it a vulnerability.

A flaw that a security researcher said could enable JavaScript code injection in the Android app version of news aggregator Feedly has been addressed, but was also a trifle dismissed by the company as “harmless” and not really a vulnerability.

The bug enables an attacker to inject malicious JavaScript codes through an RSS feed in a Feedly post, the researcher, going by the name Jeremy S., wrote on Saturday, explaining the attack is only possible if the user has subscribed to the feed.

The issue exists because, unlike the web browser and iOS variants of the service, JavaScript codes on the Android app are not sanitized, Jeremy S. wrote.

In images accompanying his post, Jeremy S. showed how a malicious injection payload appears as the JavaScript code in a browser, but then appears on the Android app as a button redirecting to a malicious website.

That could open the door to any number of problems.

“It's a simple matter of [Feedly's] use of embedding a WebView – basically embedding the system web browser inside the app – to render content,” Zach Lanier, senior security researcher with Duo Security, told SCMagazine.com in a Monday email correspondence.

Interestingly, WebViews in Android do not honor and execute JavaScript by default, Lanier said, adding that the developer must explicitly enable the view's JavaScript support.

“What could have happened here is that [Feedly] enabled it deliberately for who-knows-what-reason,” Lanier said. “I don't find that this is a common issue, namely because of JavaScript being off by default in WebViews.”

Olivier Devaux, co-founder of Feedly, told SCMagazine.com in a Monday email correspondence that the issue was fixed instantly within 24 hours of being reported and that he is not aware of any users having been impacted.

“To be honest there is not much the injected code could have done anyway given that it is running in a browser sandbox,” Devaux said. “This blog post was more a catchy headline than a real vulnerability. We are committed to fixing all the issues, even the harmless ones like this one, as quickly as we can.”

Neither Devaux, nor another Feedly spokesperson, responded to follow-up questions on why the company deemed the vulnerability harmless if it could enable redirecting to malicious websites. Jeremy S. did not respond to a SCMagazine.com request for comment.

[An earlier version of this story incorrectly stated that the bug impacts Feedly for Android 19.3.0].
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.