Brian Mastenbrook said on his website that the bug, if exploited, can allow malicious websites to read files sitting on a user's hard drive, without the victim needing to take any action.
"This can be used to gain access to sensitive information stored on the user's computer, such as emails, passwords or cookies that could be used to gain access to the user's accounts on some websites," he said, adding that Apple is aware of the bug.
Users of Mac OS X 10.5, code-named Leopard, are affected if they use the default feed reader application preference, regardless if they use a different browser or use RSS feeds at all, Mastenbrook said. Users of Safari for Windows are also impacted, unless they do not use it for browsing.
Mastenbrook said he does not think the vulnerability is publicly known, but users should nonetheless take action to prevent against an exploit.
To protect themselves in advance of a fix from Apple, users should select another feed reader besides the Safari default, he said.
Mastenbrook describes how to select a different feed reader on his site.
An Apple spokeswoman on Tuesday did not respond to a request seeking comment.