Feedly Android JavaScript zero day found, fixed and can be forgotten

happygeek

Feedly app left attack window open for malicious JavaScript hackers according to one security researcher.

Security consultant and blogger Jeremy S revealed that the Feedly Android app, or at least the version prior to the update on March 17th 2014, had been subject to a zero-day JavaScript code injection vulnerability. Jeremy reported the discovery to the Feedly developers who patched the vulnerability within 24 hours, ethical disclosure working at its best if you ask me.

The Singapore based researcher explained that the code injection was possible from an RSS feed into the app itself as the Feedly app didn't sanitize the JavaScript but simply interpreted them as code. This opened up an attack window to enable code executions on the user Android app session via a specially crafted feed, but only if the user was subscribed to that site already. The potential exploits for this could include a redirect button to malicious sites etc, although there is currently no evidence that the zero day was exploited by anyone other than the researcher himself in order to prove it existed.

Of course, Feedly is a hugely popular app with millions of users so there is always the potential that someone could have exploited this hole without it coming to the attention of the wider world.

The reported danger that users who do not perform automatic updates from the Play Store would be at risk from older Feedly versions seems unfounded as the developers confirm the fix was at the server end so no clients would be exposed to it after the patch was made.

Found, fixed, now forget about it...

327 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.19 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.