JVNDB-2020-000043

Android App "Mercari" (Japan version) vulnerable to arbitrary method execution of the Java object

Android App "Mercari" (Japan version) provided by Mercari, Inc. contains vulnerability that an arbitrary Java method execution (CWE-749) due to inadequate restrictions on addJavascriptInterface of WebView class.

Taichi Kotake of Akatsuki Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Mercari Co., Ltd.

• Mercari (Japan version) prior to version 3.52.0

According to the developer, these versions cannot be used due to forced update when the app starts.

A remote attacker who can Man-In-The-Middle attack may use Java Reflection API of JavaScript code for on the WebView and execute an arbitrary method of Java object.

[Update the Application]
This Vulnerability to be fixed for update to the latest version provided by the developer.
According to the developer, the user does not have to take any voluntary action. Affected by the Vulnerability API level is not employed. And the product has forced to be updated in the past, users cannot use these versions of the app.

Mercari Co., Ltd.

• JVN : Information from Mercari, Inc.

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2020-5604

1. JVN : JVN#93167107
2. National Vulnerability Database (NVD) : CVE-2020-5604

• [2020/07/08]
    Web page was published