Pages

Tuesday, April 22, 2014

Open letter to Edwin Khodabakchian, CEO Feedly

Dear Mr. Edwin,

I am terribly sorry that the internet news reporters decided to sensationalize this whole thing. I am a Feedly supporter myself and I truly enjoy it. And I agree too with some security professionals / researchers that Feedly did respond timely and quote Davey Winder, "ethical disclosure at its best". However, people decided to interprete my blog post their way and put Feedly in a bad light. The blog post is meant for a extremely small community and technical findings / tips / news archive, however, it was 'scraped' and re-packaged without even notifying me. For the record, I informed no one and spoke to no writers before this whole thing went down.

And on my blog, I wrote the contents as objective and technical as I could and quoted only facts, however limited they may have been. Any inaccuracies that was pointed out I did my best to correct them. As Feedly had stopped communicating with me after they fixed the problem, i had zero visibility (and I am not saying that Feedly owes me to provide any). To be fair, I did ask Feedly to advise on Feedly's steps to ethical disclosure, however, I did not receive any responses despite multiple emails. This means that I did not know that it was a backend fix until much later when I tested it myself (and still I can't be entirely sure until you helped confirmed it later) and I didn't know it was fixed before the 17th when Feedly released v19.3.0 (thus i added 'estimated').  As always, it is part of an individual duty to inform the public and as advised by recognised security body whom i shall not name, I only published this finding about a month after the fix.

Unfortunately, this post unexpectedly went kinda viralled, probably because Feedly is in the fore-front of cloud RSS service provider. Like other major players such as Facebook, Google and Microsoft, Feedly is facing her onslaught of security news. Nevertheless, I believe the reporters of the various news sites should have contacted Feedly and myself to do fact-checks before publishing the articles.  Feedly has an awesome track records in its services and security responses, and like any other giants, people will forget about this and continue to support Feedly. 

This is a war against insecurity both real and deadly vulnerabilties and also the usual crowd paranoia. And I believe that soon enough, this will blow over like any other news. Someone will find something in somewhere else and this will be quickly be forgotten.

I wish you and Feedly a continuous success. 

P.S. For what's worth, this article speaks of my thoughts: http://www.daniweb.com/web-development/javascript-dhtml-ajax/news/477537/feedly-android-javascript-zero-day-found-fixed-and-can-be-forgotten

Yours sincerely,
Jeremy S.

Saturday, April 19, 2014

Feedly Android Application Zero-day Vulnerability - JavaScript Code Injection

Hey all,
(Updated on 19-Apr & 21-Apr 2014: See yellow & aqua)
Do you guys remember that I kinda "spammed" my own site with a series of blog posts filled with javascript codes? I was performing tests on the Feedly app to verify a JavaScript injection vulnerability. After a series of tests, I ascertained that the Feedly App (19.2.0 - before 17th March 2014) was vulnerable. As part of the ethical disclosure, I reported to Feedly, the Feedly folks acknowledged the vulnerability (via email) and they got it fixed on 17th March 2014. Unfortunately, I haven't got any more responses when I asked them how they would like to alert / advise their users, especially since they did not mention the vulnerability fix in their change logs on Google Playstore. Anyway, their silence resulted in me seeking alternatives without Feedly's further involvement.

tl;dr - vulnerability details and screenshots as follow:

Vulnerability Title: JavaScript Code Injection possible in Feedly Android App via RSS Feeds
Description:
A javascript code injection is possible from an RSS feed (e.g. from a blog on blogspot) into the 'Feedly' Android App. The android app does not sanitize javascript codes and interpretes them as codes. As a result, allows potential attackers to perform javascript code executions on victim's Feedly android app session via a crafted blogpost. However, the pre-requisite for such an attack to be possible is that the user must have subscribed (RSS) to the site. In other words, attacks can take place only when user browses the RSS-subscribed site's contents via the Feedly android app.

Potential Impact:
Attacker may inject malicious javascript codes via a blogpost. An example would be to create a button to redirect users to malicious sites (and the same old tricks to follow). 
*I haven't gone to the extent of performing 'remote arbitrary code injection'  as I wasn't sure if it uses webView toolkit. But if you got 19.2.0 apk and wish to try, please go nuts. And it'll be nice if you could let me know and of course, I'll reciprocate by providing shiny blue links to your page. =D


Date discovered / reported: 10th March 2014
Date fixed (estimated): Verified after 17th March 2014 (Feedly states that they got it fixed 24 hours after reporting)
Vulnerable version: < 19.3.0 (version just before 19.3.0 - did not test the older ones)
Fixed Version: Feedly Android App 19.3.0 (17th March 2014) - personally verified.
Apparently after testing on previous versions (19.2 and 19.1), I could not reproduce the same problem. I suspect the vulnerable codes are of the backend servers and not the android app itself. As such, both vulnerable version and fixed version fields are not applicable.

Proof-of-Concept
Injection payload:
</script>
<button onclick="location.href='http://www.potentially-malicious.site'" id="1" value="1"/>BreakToProtect's Button
<but

 Figure 0: Normal Feedly site on a Chrome Browser - As you can see, the javascript codes are displayed as text and not intepreted as executable codes

 Figure 1: Feedly App accessing the same blogpost as shown on figure 0 - As you can see, a nice button of mine was created on the Android Application

 Figure 2: Upon clicking on 'BreakToProtect's button', user will be redirected to another site. As per proof-of-concept, a fake URL link 'http://www.potentially-malicious.site/' was used instead.

Annnnddd it's fixed after 19.3.0. 

Hope this is informative for all Feedly users. Thanks to the quick responses from Feedly team, you can now get your fix at the following URL:
https://play.google.com/store/apps/details?id=com.devhd.feedly
The fix was done at the backend - users do not have to worry about using older versions of Feedly.

Later,
JS