SEC Consult Vulnerability Lab Security Advisory < 20160810-0 >
=======================================================================
title: Multiple vulnerabilities
product: LINE instant messenger platform
vulnerable version: before June 2016
fixed version: after June/July 2016
impact: removed (as per bounty program policy)
homepage: line.me/en/
found: 2016-06-05
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
=======================================================================
Vendor description:
-------------------
"Line (styled "LINE") is a proprietary application for instant communications
on electronic devices such as smartphones, tablet computers and personal
computers. Line users exchange texts, images, video and audio, and conduct
free VoIP conversations and video conferences.
Line first launched in Japan in 2011, reaching 100 million users within
eighteen months and 200 million users only six months later. Line became
Japan's largest social network in 2013. In October 2014 Line announced that it
had attracted 560 million users worldwide with 170 million active user
accounts."
Source: en.wikipedia.org/wiki/Line_(application)
Business recommendation:
------------------------
SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.
Vulnerability overview/description:
-----------------------------------
SEC Consult reported two security flaws that existed in the LINE messenger
platform to the LINE Security Bug Bounty Program.
1. Authorization Bypass
By abusing the authorization bypass vulnerability, an attacker was able to
gain unauthorized access to other user's confidential information.
2. Server-side request forgery
By abusing server-side request forgery issues, an attacker can make arbitrary
requests on behalf of the affected server and execute code remotely.
Further detailed information cannot be published as per LINE
bounty program policy. The severity rating has been excluded too.
LINE's response (Supplementary explanation)
Due to insufficient confirmation on our side, the first edition of this
advisory contained some incorrect information.
Our Program
The first edition states that according to LINE Security Bug Bounty Program
policy, the PoC had been removed. However, our program does not prohibit
disclosing vulnerabilities which have already been fixed. (Per Article 9, in
some cases it can take time to push the fix for client app vulnerabilities to
users, so a maximum confidentiality period of one year may be imposed in that
case.)
Supplementary explanation about discovered vulnerabilities
1. Authorization bypass
This issue did not affect the main LINE messenger app but rather the CMS (Web
application) for official accounts (business accounts representing celebrities
or stores).
Regular users using the LINE messenger app were not affected by the
authorization bypass issue in any way. In regard to the possibly obtained
information, while the information was not yet published, all information is
assumed to be for general public consumption and no highly sensitive
information was affected. Any internal access tokens that were exposed were
quickly invalidated.
2. Server-side request forgery
The first edition has the phrase "execute code remotely," which we believe
invites some misunderstanding. We determined this vulnerability was of
extremely high priority as it affected internal network resources, and could,
in some cases, allow for issuing internal API requests, which could seriously
affect various services. However, we believe this was not an "arbitrary code
execution" or "remote code execution" issue but rather, at the most, a
“potential access to internal HTTP APIs/resources” issue. From our internal
inspection, we did not find any proof that arbitrary code could be executed.
We are extremely grateful to SEC Consult for bringing these serious
vulnerabilities to our attention. Security is of the utmost importance to us
and we will continue to do our utmost when it comes to security.
Vulnerability report and action timeline:
Authentication bypass
2016-06-09 08:03 First message from SEC Consult
2016-06-09 13:00 Fix complete
2016-06-09 15:00 All possibly exposed access tokens rendered invalid
2016-06-16 16:10 Sent message to SEC Consult to confirm fix
2016-06-16 - All possibly exposed access tokens reactivated
Server-side request forgery
2016-06-13 12:28 First message from SEC Consult
2016-06-16 15:56 Fix complete
2016-06-16 16:10 Sent message to SEC Consult to confirm fix
Vulnerable / tested versions:
-----------------------------
LINE instant messenger platform before June 9, 2016.
Vendor contact timeline:
------------------------
2016-06-05: Contacting vendor through bugbounty.linecorp.com/en/apply/
2016-06 & 2016-07: Vendor provides hot fixes to immediately correct the flaws
2016-07: LINE Security Team updates hall of fame 2016, special contribution
2016-08-10: Public advisory release
URL: bugbounty.linecorp.com/en/halloffame/2016/
Solution:
---------
The vulnerabilities have already been fixed in the latest version of LINE.
Workaround:
-----------
No workaround available
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
EOF Pichaya Morimoto / @2016