Categories: Hacking

Millions Feedly users vulnerable to Javascript Injection attack

A security researcher discovered a serious Javascript Injection vulnerability in the popular Feedly Android App impacting Millions Users.

While mobile industry continues to grow, in the same time the number of cyber threats continues to increase in frequency and level of sophistication. Mobile platforms like Android are a privileged target of cyber criminals that with a successful exploit could impact security of a wide audience. One of the most common tactics adopted by cybercrime communities  to infect mobile platforms is the Injection of malicious JavaScript directly into popular Android apps.
Security researcher Jeremy S. from Singapore discovered a critical vulnerability in the Feedly app that could be exploited by attackers to infect millions of Android app users.
Feedly is a popular app available for iOS and Android, which offers an aggregation platform for content published on blogs, websites, RSS Feeds and magazines.
The researcher provided evidence of the flaw in blog post, the expert exploited the vulnerability through a JavaScript injection attack. Due a cross-site scripting vulnerability an attacker is able to execute any JavaScript code on client-side, the attack is possible due the lack of input validation in the Feedly app that doesn’t sanitize the Javascript code written in the original articles on subscribed websites or blogs.
A javascript code injection is possible from an RSS feed (e.g. from a blog on blogspot) into the ‘Feedly’ Android App. The android app does not sanitize javascript codes and interpretes them as codes. As a result, allows potential attackers to perform javascript code executions on victim’s Feedly android app session via a crafted blogpost. However, the pre-requisite for such an attack to be possible is that the user must have subscribed (RSS) to the site. In other words, attacks can take place only when user browses the RSS-subscribed site’s contents via the Feedly android app.
More than 5 Million users currently use the Feedly app for their Android devices, exploiting JavaScript injection the attacker can perform different malicious activities, including cookies reading, modification of web page contents, injection of tracking codes or exploits codes to infect victim’s Android device.
The researcher provided the Proof of concept using the following Injection payload that allows to display on the mobile browser the JavaScript button:

</script>
<button >.href=’http://www.potentially-malicious.site'” id=”1″ value=”1″/>BreakToProtect’s Button
<but

“Upon clicking on ‘BreakToProtect’s button’, user will be redirected to another site. As per proof-of-concept, a fake URL link ‘http://www.potentially-malicious.site/’ was used instead.”

The flaw in the Feedly application was reported to the company on March 10th and fixed within 24 hours. It is strongly suggested to the users to update their Feedly app to the last version.

Pierluigi Paganini

(Security Affairs –  Android, Feedly app)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Published by
Pierluigi Paganini
Tags: Android appCross-Site ScriptingFeedlyHackingmobile
10 years ago

Recent Posts

Google fixes fifth actively exploited Chrome zero-day this year

Since the start of the year, Google released an update to fix the fifth actively…

15 hours ago

Russia-linked APT28 targets government Polish institutions

CERT Polska warns of a large-scale malware campaign against Polish government institutions conducted by Russia-linked…

16 hours ago

Citrix warns customers to update PuTTY version installed on their XenCenter system manually

Citrix urges customers to manually address a PuTTY SSH client flaw that could allow attackers…

21 hours ago

Dell discloses data breach impacting millions of customers

Dell disclosed a security breach that exposed millions of customers' names and physical mailing addresses.…

1 day ago

Mirai botnet also spreads through the exploitation of Ivanti Connect Secure bugs

Threat actors exploit recently disclosed Ivanti Connect Secure (ICS) vulnerabilities to deploy the Mirai botnet.…

2 days ago

Zscaler is investigating data breach claims

Cybersecurity firm Zscaler is investigating claims of a data breach after hackers offered access to…

2 days ago

This website uses cookies.