Multiple vulnerabilities in LINE instant messenger platform

SEC Consult Vulnerability Lab Security Advisory < 20160810-0 >


title: Multiple vulnerabilities

product: LINE instant messenger platform

vulnerable version: before June 2016

fixed version: after June/July 2016

impact: removed (as per bounty program policy)


found: 2016-06-05

by: P. Morimoto (Office Bangkok)

SEC Consult Vulnerability Lab


An integrated part of SEC Consult

Bangkok - Berlin - Linz - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich




Vendor description:


"Line (styled "LINE") is a proprietary application for instant communications

on electronic devices such as smartphones, tablet computers and personal

computers. Line users exchange texts, images, video and audio, and conduct

free VoIP conversations and video conferences.


Line first launched in Japan in 2011, reaching 100 million users within

eighteen months and 200 million users only six months later. Line became

Japan's largest social network in 2013. In October 2014 Line announced that it

had attracted 560 million users worldwide with 170 million active user






Business recommendation:


SEC Consult recommends not to use this software until a thorough security

review has been performed by security professionals and all identified

issues have been resolved.



Vulnerability overview/description:


SEC Consult reported two security flaws that existed in the LINE messenger

platform to the LINE Security Bug Bounty Program.


1. Authorization Bypass

By abusing the authorization bypass vulnerability, an attacker was able to

gain unauthorized access to other user's confidential information.



2. Server-side request forgery

By abusing server-side request forgery issues, an attacker can make arbitrary

requests on behalf of the affected server and execute code remotely.


Further detailed information cannot be published as per LINE

bounty program policy. The severity rating has been excluded too.



LINE's response (Supplementary explanation)


Due to insufficient confirmation on our side, the first edition of this

advisory contained some incorrect information.


Our Program


The first edition states that according to LINE Security Bug Bounty Program

policy, the PoC had been removed. However, our program does not prohibit

disclosing vulnerabilities which have already been fixed. (Per Article 9, in

some cases it can take time to push the fix for client app vulnerabilities to

users, so a maximum confidentiality period of one year may be imposed in that



Supplementary explanation about discovered vulnerabilities


1. Authorization bypass

This issue did not affect the main LINE messenger app but rather the CMS (Web

application) for official accounts (business accounts representing celebrities

or stores).


Regular users using the LINE messenger app were not affected by the

authorization bypass issue in any way. In regard to the possibly obtained

information, while the information was not yet published, all information is

assumed to be for general public consumption and no highly sensitive

information was affected. Any internal access tokens that were exposed were

quickly invalidated.



2. Server-side request forgery

The first edition has the phrase "execute code remotely," which we believe

invites some misunderstanding. We determined this vulnerability was of

extremely high priority as it affected internal network resources, and could,

in some cases, allow for issuing internal API requests, which could seriously

affect various services. However, we believe this was not an "arbitrary code

execution" or "remote code execution" issue but rather, at the most, a

“potential access to internal HTTP APIs/resources” issue. From our internal

inspection, we did not find any proof that arbitrary code could be executed.


We are extremely grateful to SEC Consult for bringing these serious

vulnerabilities to our attention. Security is of the utmost importance to us

and we will continue to do our utmost when it comes to security.


Vulnerability report and action timeline:


Authentication bypass


2016-06-09 08:03 First message from SEC Consult

2016-06-09 13:00 Fix complete

2016-06-09 15:00 All possibly exposed access tokens rendered invalid

2016-06-16 16:10 Sent message to SEC Consult to confirm fix

2016-06-16 - All possibly exposed access tokens reactivated


Server-side request forgery


2016-06-13 12:28 First message from SEC Consult

2016-06-16 15:56 Fix complete

2016-06-16 16:10 Sent message to SEC Consult to confirm fix



Vulnerable / tested versions:


LINE instant messenger platform before June 9, 2016.



Vendor contact timeline:


2016-06-05: Contacting vendor through

2016-06 & 2016-07: Vendor provides hot fixes to immediately correct the flaws

2016-07: LINE Security Team updates hall of fame 2016, special contribution

2016-08-10: Public advisory release







The vulnerabilities have already been fixed in the latest version of LINE.





No workaround available



Advisory URL:






SEC Consult Vulnerability Lab


SEC Consult

Bangkok - Berlin - Linz - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich


About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.



Interested to work with the experts of SEC Consult?

Send us your application


Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices



Mail: research at sec-consult dot com





EOF Pichaya Morimoto / @2016