[Japanese]

JVNDB-2015-000040

LINE vulnerable to script injection

Overview

LINE provided by LINE Corporation is an application used to communicate with others. LINE is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.

Kenta Suefusa, Nobuaki Nakazawa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


LINE Corporation
  • LINE for Android version 5.0.2 and earlier
  • LINE for iOS version 5.0.0 and earlier

Impact

A script may be injected by a MITM (man-in-the-middle) attacker. As a result, any API can be invoked through the injected script.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.

According to the developer, a part of this vulnerability is fixed on the server side. The developer recommends users to update the application to the latest version, which enforces all communications to be encrypted and removes any unnecessary APIs.
Vendor Information

LINE Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-DesignError) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-0897
References

  1. JVN : JVN#41281927
Revision History

  • [2015/03/20]
      Web page was published

Date Public2015/03/20
Date First Published2015/03/20
Date Last Updated2015/03/20