Auction Camera vulnerable to URL whitelist bypass


Auction Camera provided by Newphoria Corporation Inc. is an application for both iOS or Android built using "applican". Auction Camera contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme.

Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Newphoria Corporation
  • Auction Camera for Android versions 1.1 and earlier
  • Auction Camera for iOS


Android version of this app may allow an applican API to be executed if that API has been granted permission in the android manifest.
iOS version of this app may allow an arbitrary API to be executed.

For Auction Camera for Android:
[Update the Software]
Update to the latest version according to the information provided by the developer.

For Auction Camera for iOS:
[Do not use Auction Camera for iOS]
Auction Camera for iOS is no longer being developed or maintained. It is recommended to stop using Auction Camera for iOS.
Vendor Information

Newphoria Corporation
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-5633

  1. JVN : JVN#71815309
  2. National Vulnerability Database (NVD) : CVE-2015-5633
Revision History

  • [2015/09/16]
      Web page was published
      References : Content was added