Pages

Saturday, April 19, 2014

Feedly Android Application Zero-day Vulnerability - JavaScript Code Injection

Hey all,
(Updated on 19-Apr & 21-Apr 2014: See yellow & aqua)
Do you guys remember that I kinda "spammed" my own site with a series of blog posts filled with javascript codes? I was performing tests on the Feedly app to verify a JavaScript injection vulnerability. After a series of tests, I ascertained that the Feedly App (19.2.0 - before 17th March 2014) was vulnerable. As part of the ethical disclosure, I reported to Feedly, the Feedly folks acknowledged the vulnerability (via email) and they got it fixed on 17th March 2014. Unfortunately, I haven't got any more responses when I asked them how they would like to alert / advise their users, especially since they did not mention the vulnerability fix in their change logs on Google Playstore. Anyway, their silence resulted in me seeking alternatives without Feedly's further involvement.

tl;dr - vulnerability details and screenshots as follow:

Vulnerability Title: JavaScript Code Injection possible in Feedly Android App via RSS Feeds
Description:
A javascript code injection is possible from an RSS feed (e.g. from a blog on blogspot) into the 'Feedly' Android App. The android app does not sanitize javascript codes and interpretes them as codes. As a result, allows potential attackers to perform javascript code executions on victim's Feedly android app session via a crafted blogpost. However, the pre-requisite for such an attack to be possible is that the user must have subscribed (RSS) to the site. In other words, attacks can take place only when user browses the RSS-subscribed site's contents via the Feedly android app.

Potential Impact:
Attacker may inject malicious javascript codes via a blogpost. An example would be to create a button to redirect users to malicious sites (and the same old tricks to follow). 
*I haven't gone to the extent of performing 'remote arbitrary code injection'  as I wasn't sure if it uses webView toolkit. But if you got 19.2.0 apk and wish to try, please go nuts. And it'll be nice if you could let me know and of course, I'll reciprocate by providing shiny blue links to your page. =D


Date discovered / reported: 10th March 2014
Date fixed (estimated): Verified after 17th March 2014 (Feedly states that they got it fixed 24 hours after reporting)
Vulnerable version: < 19.3.0 (version just before 19.3.0 - did not test the older ones)
Fixed Version: Feedly Android App 19.3.0 (17th March 2014) - personally verified.
Apparently after testing on previous versions (19.2 and 19.1), I could not reproduce the same problem. I suspect the vulnerable codes are of the backend servers and not the android app itself. As such, both vulnerable version and fixed version fields are not applicable.

Proof-of-Concept
Injection payload:
</script>
<button onclick="location.href='http://www.potentially-malicious.site'" id="1" value="1"/>BreakToProtect's Button
<but

 Figure 0: Normal Feedly site on a Chrome Browser - As you can see, the javascript codes are displayed as text and not intepreted as executable codes

 Figure 1: Feedly App accessing the same blogpost as shown on figure 0 - As you can see, a nice button of mine was created on the Android Application

 Figure 2: Upon clicking on 'BreakToProtect's button', user will be redirected to another site. As per proof-of-concept, a fake URL link 'http://www.potentially-malicious.site/' was used instead.

Annnnddd it's fixed after 19.3.0. 

Hope this is informative for all Feedly users. Thanks to the quick responses from Feedly team, you can now get your fix at the following URL:
https://play.google.com/store/apps/details?id=com.devhd.feedly
The fix was done at the backend - users do not have to worry about using older versions of Feedly.

Later,
JS

6 comments:

  1. The comment is correct. This issue was fixed on the server and so no client is exposed to this issue anymore. -Edwin from feedly

    ReplyDelete
  2. Also please note that this but was fixed with 24 hours of the time it was reported not within 7 days as suggested by the post.

    ReplyDelete
  3. @Edwin Khodabakchian
    Thank you for your responses. To clarify: The 'Date fixed' is estimated and based on the day where the verification was performed. (There is neither a notification of the fix on site nor via email.)
    However, in order to more accurately reflect Feedly's effort and responsiveness on this particular vulnerability, I've updated the post to include Feedly's statement the on the time taken to respond and fix.

    ReplyDelete
  4. "especially since they did not mention the vulnerability fix in their change logs on Google Playstore" Just to be sure that there everything is clear: the sanitization of the blog post is performed on our server. Not app change/update or user action is needed to fix these kinds of issues.

    ReplyDelete
  5. The article discusses Feedly Android Application Zero-day Vulnerability - JavaScript Code Injection. It's a helpful guide for developers interested in cross-platform development and increasing app accessibility. Here you find more information on android JS app. Thanks

    ReplyDelete