
A security researcher discovered a serious Javascript Injection vulnerability in the popular Feedly Android App impacting Millions Users.
“A javascript code injection is possible from an RSS feed (e.g. from a blog on blogspot) into the ‘Feedly’ Android App. The android app does not sanitize javascript codes and interpretes them as codes. As a result, allows potential attackers to perform javascript code executions on victim’s Feedly android app session via a crafted blogpost. However, the pre-requisite for such an attack to be possible is that the user must have subscribed (RSS) to the site. In other words, attacks can take place only when user browses the RSS-subscribed site’s contents via the Feedly android app.”
</script>
<button onclick=”location.href=’http:/
<but
“Upon clicking on ‘BreakToProtect’s button’, user will be redirected to another site. As per proof-of-concept, a fake URL link ‘http://www.potentially-malicious.site/’ was used instead.”
(Security Affairs – Android, Feedly app)




