Feedly app left attack window open for malicious JavaScript hackers according to one security researcher.

Security consultant and blogger Jeremy S revealed that the Feedly Android app, or at least the version prior to the update on March 17th 2014, had been subject to a zero-day JavaScript code injection vulnerability. Jeremy reported the discovery to the Feedly developers who patched the vulnerability within 24 hours, ethical disclosure working at its best if you ask me.

The Singapore based researcher explained that the code injection was possible from an RSS feed into the app itself as the Feedly app didn't sanitize the JavaScript but simply interpreted them as code. This opened up an attack window to enable code executions on the user Android app session via a specially crafted feed, but only if the user was subscribed to that site already. The potential exploits for this could include a redirect button to malicious sites etc, although there is currently no evidence that the zero day was exploited by anyone other than the researcher himself in order to prove it existed.

Of course, Feedly is a hugely popular app with millions of users so there is always the potential that someone could have exploited this hole without it coming to the attention of the wider world.

The reported danger that users who do not perform automatic updates from the Play Store would be at risk from older Feedly versions seems unfounded as the developers confirm the fix was at the server end so no clients would be exposed to it after the patch was made.

Found, fixed, now forget about it...

Edited by happygeek: date typo corrected

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.