[Japanese]

JVNDB-2015-000095

LINE@ vulnerable to script injection

Overview

LINE@ provided by LINE Corporation is an application used to communicate with others. LINE@ is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.

Kenta Suefusa, Nobuaki Nakazawa, Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


LINE Corporation
  • LINE@ for Android version 1.0.0
  • LINE@ for iOS version 1.0.0

Impact

A script may be injected by a MITM (man-in-the-middle) attacker. As a result, any API can be invoked through the injected script.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.

According to the developer, this vulnerability was addressed on the server side. However, the developer recommends updating the application for security purposes.
Vendor Information

LINE Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-DesignError) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-2968
References

  1. JVN : JVN#22546110
Revision History

  • [2015/07/10]
      Web page was published