When it comes to Android apps, even the simplest app could greatly compromise your privacy and security.
Injecting malicious JavaScript into Android applications has drawn an increased attention from the hacking community as its market share spikes. According to security researcher Jeremy S. from Singapore, a critical vulnerability in the Feedly app left millions of android app users vulnerable to the JavaScript infections.
Feedly is a very popular app available for iOS and Android devices, also integrated into hundreds of other third party apps, which offers its users to browse the content of their favourite blogs, magazines, websites and more at one place via RSS feed subscriptions. According to Google Play Store, more than 5 Million users have installed Feedly app into their Android devices.
In a blogpost, the researcher reported that Feedly is vulnerable to JavaScript injection attack, which is originally referred as 'cross-site scripting' or XSS vulnerability, allows an attacker to execute any JavaScript code on client-side. JavaScript is a widely used technology within the websites and web based applications, but it is use not only for the good purposes, but for the malicious purposes as well.
Feedly app was failed to sanitize the Javascript code written in the original articles on subscribed websites or blogs, that left millions of their feed subscribers open to the injection attacks. Researcher demonstrated that the vulnerability allows an attacker to execute the malicious JavaScript code within the Feedly app at the users' end. So, if a user browses an article via Feedly that might include the malicious javascript code, the users unknowingly give leverages to an attacker to carry out malicious activities against themselves.
"The android app does not sanitize JavaScript codes and interprets them as codes. As a result, allows potential attackers to perform JavaScript code executions on victim's Feedly android app session via a crafted blog post," the researcher wrote. He added, "Attacks can take place only when user browses the RSS-subscribed site's contents via the Feedly android app."
A malicious JavaScript injection allows an attacker to do a number of things, to modify or read cookies, temporarily edit web page contents, to modify web forms, to inject tracking codes or exploits codes in order to infect the Android users.
He discovered the vulnerability on 10th March and reported it to Feedly, which was then acknowledged by them and fixed on 17th March 2014. But they didn't mention any vulnerability fix in their change logs on Google Play Store. So, the users who have not enabled automated updates from Play Store, should manually update installed Feedly app as soon as possible.
To Subscribe 'The Hacker News' latest updates via Feedly - Click Here.
To Subscribe 'The Hacker News' latest updates via Feedly - Click Here.