The following is the URL of this product: https://liff.line.me/1657658490-lObDMRWZ
Unlike traditional apps that are downloaded directly from app markets like Google Play, this product requires access through some steps. Let's take CVE-2023-43297-'animal-art-lab' as an example:
1. open the url in the website, then you can see a QR code, which points to the product
2. open app 'Line' on the phone and scan the QR code
3. you can successfully download open the product
Vulnerability name: Exposure of secret in myGAKUYA
Affected version: Line 13.6.1
Affected product: myGAKUYA
Vulnerability type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
The mini-app 'myGAKUYA' on Line exposes the critical credential, the 'channel access token', to the client-side, enabling remote attackers to obtain the token. This channel access token is responsible for securing the communication channel within Line and can be exploited to broadcast malicious messages.
The exploit only requires that the client simply has Line installed and open the mini-app ‘myGAKUYA’ on Line. The response of the following request: www.l-members.me/miniapp/members_card, contains the critical credential, the channel access token.
Figure 1 shows the response of request www.l-members.me/miniapp/members_card leaks the channel access token of Line which is strictly prohibited from being leaked. As shown in Figure 2, the request header “Authorization” of https://api.line.me/message/v3/notifier/token is the channel access token which should be strictly protected.
The official definition of channel access token is depicted in the following figure. It's obvious that keeping the channel access token secret is important. An attacker can utilize the channel to broadcast malicious messages if the channel access token is exposed.
This vulnerability can have an impact on any mini-app ‘myGAKUYA’ user. Users will be at risk of getting malicious broadcast messages as a result of this vulnerability, such as website links, fraud information and so on.