Even though it fixed the issue, the company did not really consider it a vulnerability.
Even though it fixed the issue, the company did not really consider it a vulnerability.

A flaw that a security researcher said could enable JavaScript code injection in the Android app version of news aggregator Feedly has been addressed, but was also a trifle dismissed by the company as “harmless” and not really a vulnerability.

The bug enables an attacker to inject malicious JavaScript codes through an RSS feed in a Feedly post, the researcher, going by the name Jeremy S., wrote on Saturday, explaining the attack is only possible if the user has subscribed to the feed.

The issue exists because, unlike the web browser and iOS variants of the service, JavaScript codes on the Android app are not sanitized, Jeremy S. wrote.

In images accompanying his post, Jeremy S. showed how a malicious injection payload appears as the JavaScript code in a browser, but then appears on the Android app as a button redirecting to a malicious website.

That could open the door to any number of problems.

“It's a simple matter of [Feedly's] use of embedding a WebView – basically embedding the system web browser inside the app – to render content,” Zach Lanier, senior security researcher with Duo Security, told SCMagazine.com in a Monday email correspondence.

Interestingly, WebViews in Android do not honor and execute JavaScript by default, Lanier said, adding that the developer must explicitly enable the view's JavaScript support.

“What could have happened here is that [Feedly] enabled it deliberately for who-knows-what-reason,” Lanier said. “I don't find that this is a common issue, namely because of JavaScript being off by default in WebViews.”

Olivier Devaux, co-founder of Feedly, told SCMagazine.com in a Monday email correspondence that the issue was fixed instantly within 24 hours of being reported and that he is not aware of any users having been impacted.

“To be honest there is not much the injected code could have done anyway given that it is running in a browser sandbox,” Devaux said. “This blog post was more a catchy headline than a real vulnerability. We are committed to fixing all the issues, even the harmless ones like this one, as quickly as we can.”

Neither Devaux, nor another Feedly spokesperson, responded to follow-up questions on why the company deemed the vulnerability harmless if it could enable redirecting to malicious websites. Jeremy S. did not respond to a SCMagazine.com request for comment.

[An earlier version of this story incorrectly stated that the bug impacts Feedly for Android 19.3.0].