While mobile industry continues to grow, in the same time the number of cyber threats continues to increase in frequency and level of sophistication. Mobile platforms like Android are a privileged target of cyber criminals that with a successful exploit could impact security of a wide audience. One of the most common tactics adopted by cybercrime communities  to infect mobile platforms is the Injection of malicious JavaScript directly into popular Android apps.

Security researcher Jeremy S. from Singapore discovered a critical vulnerability in the Feedly app that could be exploited by attackers to infect millions of Android app users.

The researcher provided evidence of the flaw in blog post, the expert exploited the vulnerability through a JavaScript injection attack. Due a cross-site scripting vulnerability an attacker is able to execute any JavaScript code on client-side, the attack is possible due the lack of input validation in the Feedly app that doesn’t sanitize the Javascript code written in the original articles on subscribed websites or blogs.

“A javascript code injection is possible from an RSS feed (e.g. from a blog on blogspot) into the ‘Feedly’ Android App. The android app does not sanitize javascript codes and interpretes them as codes. As a result, allows potential attackers to perform javascript code executions on victim’s Feedly android app session via a crafted blogpost. However, the pre-requisite for such an attack to be possible is that the user must have subscribed (RSS) to the site. In other words, attacks can take place only when user browses the RSS-subscribed site’s contents via the Feedly android app.”