[Vulnerability Report] SSL Server Certificate Validation Deficiency in LINE for iOS
2018.02.20
[Overview]
An SSL server certificate validation deficiency caused by a vulnerable third party SDK embedded in the LINE messaging app was discovered in LINE iOS versions 7.1.3 through 7.15. This vulnerability can cause specific encrypted communication sessions to be intercepted or tampered in an untrusted network (*1). This issue was fixed in version 7.16 released on November 24, 2017.
The vulnerability affects communication established when using services displayed in the LINE app or external services (including IDs, passwords, and other information pertaining to external services). Text-based chat content (*2) within LINE, LINE login information (password), free calls, and video calls are not affected.
*1 Such as Wi-Fi access points installed with malicious intent
*2 Communication when downloading certain images and/or videos etc. may be affected
[Request to All Users]
If the LINE iOS version you are using is between 7.1.3 and 7.15, please update to the latest version from the following URL.
You can check your LINE version from "Settings" -> "About LINE".
[Affected Versions]
LINE for iOS
- Version 7.1.3 to 7.15
- Fixed in version 7.16
Note: Versions before 7.1.3 are not affected by this vulnerability.
Android, Mac OS, and Windows 8/10 versions of LINE are not affected. To update to the latest version, visit the app store of each OS.
[Related Links]
JVN # 75453852 has been assigned to this issue
https://jvn.jp/en/jp/JVN75453852/index.html
[Update History]
Updated February 20, 2018