Security issue in LINE’s group note API resolved
On July 25t, 2019 we received a report about a security bug (vulnerability) affecting LINE's group note API sever, and promptly resolved the issue.
This announcement details our response.
1. Overview of the vulnerability
There was an improper access control issue in LINE's group note API server, in particular in the social graph retrieval API. This issue allowed third parties to obtain the internal identifiers of other LINE users (*1) one has interacted with on the LINE platform. Following are the details of the vulnerability and the social interactions that could lead to users being affected.
Under certain conditions, the following information, related to social relationships between LINE users (*2), were obtainable from the social graph retrieval APIs:
Our system automatically creates an internal group identifier, when an album or a note shared with another LINE user is created. This group identifier could be obtained by abusing this vulnerability.
This group identifier is also generated beforehand as part of the note or album creation process, for certain versions of the LINE application.
Therefore, users who viewed notes or albums within a chat room may be affected. In some cases, simply opening a chat room with linked notes or albums may expose users to this vulnerability.
User identifiers of socially related peer users
When a group identifier is created, the user identifiers of all members of the group are associated with the created group identifier. As a result of this vulnerability, it was possible to obtain the user identifiers of all group members, if the group identifier was known.
The user identifiers obtainable as a result of this vulnerability are generally those of the target user's LINE friends. However, depending on the conditions under which the group identifier was created, the list of retrieved identifiers might contain identifiers belonging to other LINE users that the target user is in a social relationship with (*2).
In light of this, the vulnerability allowed someone abusing this vulnerability to get information about the relationships of users on their friends list ("Friends of friends"). In some cases, this type of data could also be acquired for unrelated users, as described above.
(*1) In some cases a third party might be able to obtain internal identifiers without being registered as a friend of the target user.
(*2) The relationships explained above will be referred to as social relationship(s) for the rest of this article. Social relationships include unidirectional and bidirectional LINE friendship relations, being invited in the same chat room or group, sharing notes or albums with other LINE users.
2. Our response
We discovered the cause of the vulnerability and deployed a fix on July 29th, at 11:21 AM JST.
After investigating our internal access logs, as well as the details of the vulnerability, we have found that up to 695,192 users may have been affected.
The reasons behind the number being higher than expected for this kind of vulnerability are:
The reporter created a public LINE Bot for the purpose of demonstrating the effect of this vulnerability.
This bot was added as a friend by multiple users, which allowed them to view information about other users' social relationships (*2), including users not currently on their friends list.
By creating the bot, and making it available to other users, the reporter was violating of the Terms and Conditions of LINE’s Bug Bounty Program. We have received a written pledge from the researcher stating that any additional data acquired has not been made publicly available, and has been deleted.
Neither the contents of notes nor conversations was leaked due to this issue.
In addition, the bot is currently suspended, as part of our incident response handling.
The following two types of users are affected:
Note: LINE Bot in the following explanations refer exclusively to the Bot created by the reporter of this vulnerability.
LINE Users (A) who had their contact details shared in the LINE Bot's chat-room (by using the 'Share Contact' function) by Line User (X) , who previously added the LINE Bot.
LINE Users (B) who were in a social relationship with LINE Users (A), and who meet the specific requirements mentioned in the Vulnerability Details section above.
Number of affected users by Country / Region:
Other (*): 25,334
(*) Inactive accounts etc.
3. Vulnerability timeline
- July 25th, 2019 03:03: Vulnerability report received through LINE Security Bug Bounty Program
- July 29th, 2019 11:21: Vulnerability fixed.
- July 30th, 2019 18:53: Informed reporter that the reported vulnerability has been fixed.
- July 30th, 2019 21:58: Received a written oath confirming that the reporter has deleted all data acquired as a result of exploiting this vulnerability
All times are in JST (UTC+9).
4. About LINE's Bug Bounty Program
We continue to accept vulnerability reports via the LINE Security Bug Bounty Program.
As of June 2019 the following vulnerabilities have been recognized as valid:
To keep the operations of LINE Group transparent, we will continue to disclose significant vulnerabilities.
Inquiry form : https://contact-cc.line.me/en/10095/ (until August 31st 2019)
- 此識別碼依使用的LINE APP版本，即使在準備建立記事本或相簿的階段也會建立。
- 回報者為了證實此弱點，自己製作了LINE Bot。
- 該回報者透過數個用戶將上述LINE Bot加入好友，使得包含非好友關係的社交關係變成可顯示於LINE Bot。
- 因可顯示在LINE Bot上而受到影響的用戶，最多達695,192用戶。
- LINE用戶(X)將利用上述弱點之特定LINE Bot加入好友，於該LINE Bot的聊天室，使用聯絡資訊分享功能而被分享的LINE用戶(A)。
日本：328,468 台灣: 327,728 其他國家/地區：13,652 其他(*)：25,344