That could open the door to any number of problems.
“It’s a simple matter of [Feedly’s] use of embedding a WebView – basically embedding the system web browser inside the app – to render content,” Zach Lanier, senior security researcher with Duo Security, told SCMagazine.com in a Monday email correspondence.
Olivier Devaux, co-founder of Feedly, told SCMagazine.com in a Monday email correspondence that the issue was fixed instantly within 24 hours of being reported and that he is not aware of any users having been impacted.
“To be honest there is not much the injected code could have done anyway given that it is running in a browser sandbox,” Devaux said. “This blog post was more a catchy headline than a real vulnerability. We are committed to fixing all the issues, even the harmless ones like this one, as quickly as we can.”
Neither Devaux, nor another Feedly spokesperson, responded to follow-up questions on why the company deemed the vulnerability harmless if it could enable redirecting to malicious websites. Jeremy S. did not respond to a SCMagazine.com request for comment.
[An earlier version of this story incorrectly stated that the bug impacts Feedly for Android 19.3.0].