NITORI App fails to restrict access permissions


NITORI App provided by Nitori Holdings Co., Ltd. implements the function to access a requested URL using Custom URL Scheme.
This function contains an improper access control vulnerability (CWE-284) that may allow the vulnerable App to receive an request from an arbitrary App and execute the access.

Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Nitori Holdings Co., LTD.
  • Nitori Applications Android versions 6.0.4 and earlier
  • Nitori Applications iOS versions 6.0.2 and earlier


A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

[Update the Application]
Update the application to the latest version according to the information provided by the developer.
Vendor Information

Nitori Holdings Co., LTD.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5623

  1. JVN : JVN#77402327
  2. National Vulnerability Database (NVD) : CVE-2020-5623
Revision History

  • [2020/08/26]
      Web page was published