Skip to content

Latest commit

 

History

History
78 lines (51 loc) · 4.07 KB

CVE-2023-43303.md

File metadata and controls

78 lines (51 loc) · 4.07 KB
Raw

The following is the URL of this product: https://liff.line.me/1657503243-N69Wo4b3

Unlike traditional apps that are downloaded directly from app markets like Google Play, this product requires access through some steps. Let's take CVE-2023-43297-'animal-art-lab' as an example:

1. open the url in the website, then you can see a QR code, which points to the product


2. open app 'Line' on the phone and scan the QR code


3. you can successfully download open the product


Vulnerability name: Exposure of secret in craftbeer bar canvas

Affected product: craftbeer bar canvas

Affected version: v13.6.1

Vulnerability type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

1. Vulnerability description

The mini-app 'craftbeer bar canvas' on Line exposes the critical credential, the 'channel access token', to the client-side, enabling remote attackers to obtain the token. This channel access token is responsible for securing the communication channel within Line and can be exploited to broadcast malicious messages.

2. Attack Vectors

The exploit only requires that the client simply has Line installed and open the mini-app ‘craftbeer bar canvas’ on Line. The response of the following request: www.l-members.me/miniapp/members_card, contains the critical credential, the channel access token.


Figure 1 Leakage of client secret

Figure 1 shows the response of request www.l-members.me/miniapp/members_card leaks the channel access token of Line which is strictly prohibited from being leaked. As shown in Figure 2, the request header “Authorization” of https://api.line.me/message/v3/notifier/token is the channel access token which should be strictly protected.


Figure 2 Exchange the channel access token with client secret

The official definition of channel access token is depicted in the following figure. It's obvious that keeping the channel access token secret is important. An attacker can utilize the channel to broadcast malicious messages if the channel access token is exposed.


Figure 3 The official description of channel access token
3.  Vulnerability affected

This vulnerability can have an impact on any mini-app ‘craftbeer bar canvas’ user. Users will be at risk of getting malicious broadcast messages as a result of this vulnerability, such as website links, fraud information and so on.