News

In a blogpost, the researcher reported that Feedly is vulnerable to JavaScript injection attack, which is originally referred as 'cross-site scripting' or XSS vulnerability, allows an attacker to execute any JavaScript code on client-side. JavaScript is a widely used technology within the websites and web based applications, but it is use not only for the good purposes, but for the malicious purposes as well.

[adsense size='1']

Feedly app was failed to sanitize the Javascript code written in the original articles on subscribed websites or blogs, that left millions of their feed subscribers open to the injection attacks. Researcher demonstrated that the vulnerability allows an attacker to execute the malicious JavaScript code within the Feedly app at the users’ end. So, if a user browses an article via Feedly that might include the malicious javascript code, the users unknowingly give leverages to an attacker to carry out malicious activities against themselves.

“The android app does not sanitize JavaScript codes and interprets them as codes. As a result, allows potential attackers to perform JavaScript code executions on victim's Feedly android app session via a crafted blog post,” the researcher wrote. He added, “Attacks can take place only when user browses the RSS-subscribed site's contents via the Feedly android app.”

A malicious JavaScript injection allows an attacker to do a number of things, to modify or read cookies, temporarily edit web page contents, to modify web forms, to inject tracking codes or exploits codes in order to infect the Android users.

He discovered the vulnerability on 10th March and reported it to Feedly, which was then acknowledged by them and fixed on 17th March 2014. But they didn't mention any vulnerability fix in their change logs on Google Play Store. So, the users who have not enabled automated updates from Play Store, should manually update installed Feedly app as soon as possible.

Comments are closed.