JVNDB-2023-000085

"Skylark" App fails to restrict custom URL schemes properly

"Skylark" App provided by SKYLARK HOLDINGS CO., LTD. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly (CWE-939, CVE-2023-40530, CVE-2024-54014) which may be exploited to direct the App to access any sites.

CVE-2023-40530
Shunsuke Kaneko of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2024-54014
Ryo Sato reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

SKYLARK HOLDINGS CO., LTD.

• Skylark App for Android versions 6.2.13 and earlier
• Skylark App for iOS versions 6.2.13 and earlier

An arbitrary site may be displayed on the WebView of the product by using another application installed on the user's device. As a result, the user may be redirected to a malicious site.

[Update the application]
Update the application to the latest version according to the information provided by the developer.

SKYLARK HOLDINGS CO., LTD.

• App Store : "Skylark" App for Android (in Japanese)
• Google Play : "Skylark" App for iOS (in Japanese)

1. Permissions(CWE-264) [IPA Evaluation]

1. CVE-2023-40530
2. CVE-2024-54014

1. JVN : JVN#03447226
2. National Vulnerability Database (NVD) : CVE-2023-40530

• [2023/08/24]
    Web page published
• [2024/05/15]
    References : Content was added
• [2024/12/02]
    Overview was modified
    CVE : CVE-2024-54014 was added