Millions Feedly users vulnerable to Javascript Injection attack

Pierluigi Paganini April 20, 2014

A security researcher discovered a serious Javascript Injection vulnerability in the popular Feedly Android App impacting Millions Users.

While mobile industry continues to grow, in the same time the number of cyber threats continues to increase in frequency and level of sophistication. Mobile platforms like Android are a privileged target of cyber criminals that with a successful exploit could impact security of a wide audience. One of the most common tactics adopted by cybercrime communities  to infect mobile platforms is the Injection of malicious JavaScript directly into popular Android apps.
Security researcher Jeremy S. from Singapore discovered a critical vulnerability in the Feedly app that could be exploited by attackers to infect millions of Android app users.
Feedly is a popular app available for iOS and Android, which offers an aggregation platform for content published on blogs, websites, RSS Feeds and magazines.
The researcher provided evidence of the flaw in blog post, the expert exploited the vulnerability through a JavaScript injection attack. Due a cross-site scripting vulnerability an attacker is able to execute any JavaScript code on client-side, the attack is possible due the lack of input validation in the Feedly app that doesn’t sanitize the Javascript code written in the original articles on subscribed websites or blogs.
A javascript code injection is possible from an RSS feed (e.g. from a blog on blogspot) into the ‘Feedly’ Android App. The android app does not sanitize javascript codes and interpretes them as codes. As a result, allows potential attackers to perform javascript code executions on victim’s Feedly android app session via a crafted blogpost. However, the pre-requisite for such an attack to be possible is that the user must have subscribed (RSS) to the site. In other words, attacks can take place only when user browses the RSS-subscribed site’s contents via the Feedly android app.
More than 5 Million users currently use the Feedly app for their Android devices, exploiting JavaScript injection the attacker can perform different malicious activities, including cookies reading, modification of web page contents, injection of tracking codes or exploits codes to infect victim’s Android device.
The researcher provided the Proof of concept using the following Injection payload that allows to display on the mobile browser the JavaScript button:

</script>
<button onclick=”location.href=’http://www.potentially-malicious.site'” id=”1″ value=”1″/>BreakToProtect’s Button
<but

“Upon clicking on ‘BreakToProtect’s button’, user will be redirected to another site. As per proof-of-concept, a fake URL link ‘http://www.potentially-malicious.site/’ was used instead.”

feedly app vulnerability
The flaw in the Feedly application was reported to the company on March 10th and fixed within 24 hours. It is strongly suggested to the users to update their Feedly app to the last version.

Pierluigi Paganini

(Security Affairs –  Android, Feedly app)



you might also like

leave a comment