Vulnerability name: Exposure of secret in KUKURUDELI
The mini-app 'KUKURUDELI' on Line exposes the critical credential, the 'client secret', to the client-side, enabling remote attackers to obtain the secret. This client secret can then be utilized to acquire the channel access token, which is responsible for securing the communication channel within Line and can be exploited to broadcast malicious messages.
Affected version: Line 13.6.1
The exploit only requires that the client simply has Line installed and open the mini-app ‘KUKURUDELI’ on Line. The response of the following request: https://asia-northeast1-pibot-order-prod.cloudfunctions.net/userEntry, contains the critical credential, the client secret. Then we verify the effectiveness of this secret using the tool supplied by Line.
Figure 1 shows the response of request https://asia-northeast1-pibot-order-prod.cloudfunctions.net/userEntry leaks the client secret of Line which is strictly prohibited from being leaked. As shown in Figure 2, the client secret can be utilized to acquire the channel access token which is responsible for securing the communication channel within Line.
The official definition of channel access token is depicted in the following figure. It's obvious that keeping the channel access token secret is important. An attacker can utilize the channel to broadcast malicious messages if the channel access token is exposed.
This vulnerability can have an impact on any mini-app ‘KUKURUDELI’ user. Users will be at risk of getting malicious broadcast messages as a result of this vulnerability, such as website links, fraud information and so on.