Skip to content

Latest commit

 

History

History
80 lines (52 loc) · 4.32 KB

CVE-2023-39047.md

File metadata and controls

80 lines (52 loc) · 4.32 KB
Raw

The following is the URL of this product: https://liff.line.me/1657207159-oGgKdNNW

Unlike traditional apps that are downloaded directly from app markets like Google Play, this product requires access through some steps. Let's take CVE-2023-43297-'animal-art-lab' as an example:

1. open the url in the website, then you can see a QR code, which points to the product


2. open app 'Line' on the phone and scan the QR code


3. you can successfully download open the product


Vulnerability name: Exposure of secret in shouzu sweets oz

Affected product: shouzu sweets oz

Affected version: v13.6.1

Vulnerability type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

Vulnerability name: Exposure of secret in shouzu sweets oz

1. Vulnerability description

The mini-app 'shouzu sweets oz' on Line exposes the critical credential, the 'client secret', to the client-side, enabling remote attackers to obtain the secret. This client secret can then be utilized to acquire the channel access token, which is responsible for securing the communication channel within Line and can be exploited to broadcast malicious messages.

2. Attack Vectors

The exploit only requires that the client simply has Line installed and open the mini-app ‘shouzu sweets oz’ on Line. The response of the following request: https://asia-northeast1-pibot-order-prod.cloudfunctions.net/userEntry, contains the critical credential, the client secret. Then we verify the effectiveness of this secret using the tool supplied by Line.


Figure 1 Leakage of client secret

Figure 1 shows the response of request https://asia-northeast1-pibot-order-prod.cloudfunctions.net/userEntry leaks the client secret of Line which is strictly prohibited from being leaked. As shown in Figure 2, the client secret can be utilized to acquire the channel access token which is responsible for securing the communication channel within Line.


Figure 2 Exchange the channel access token with client secret

The official definition of channel access token is depicted in the following figure. It's obvious that keeping the channel access token secret is important. An attacker can utilize the channel to broadcast malicious messages if the channel access token is exposed.


Figure 3 The official description of channel access token
3.  Vulnerability affected

This vulnerability can have an impact on any mini-app ‘shouzu sweets oz’ user. Users will be at risk of getting malicious broadcast messages as a result of this vulnerability, such as website links, fraud information and so on.