Feedly app left attack window open for malicious JavaScript hackers according to one security researcher.
Security consultant and blogger Jeremy S revealed that the Feedly Android app, or at least the version prior to the update on March 17th 2014, had been subject to a zero-day JavaScript code injection vulnerability. Jeremy reported the discovery to the Feedly developers who patched the vulnerability within 24 hours, ethical disclosure working at its best if you ask me.
The Singapore based researcher explained that the code injection was possible from an RSS feed into the app itself as the Feedly app didn't sanitize the JavaScript but simply interpreted them as code. This opened up an attack window to enable code executions on the user Android app session via a specially crafted feed, but only if the user was subscribed to that site already. The potential exploits for this could include a redirect button to malicious sites etc, although there is currently no evidence that the zero day was exploited by anyone other than the researcher himself in order to prove it existed.
Of course, Feedly is a hugely popular app with millions of users so there is always the potential that someone could have exploited this hole without it coming to the attention of the wider world.
The reported danger that users who do not perform automatic updates from the Play Store would be at risk from older Feedly versions seems unfounded as the developers confirm the fix was at the server end so no clients would be exposed to it after the patch was made.
Found, fixed, now forget about it...