LINE

On August 31, 2019, a security bug (vulnerability) affecting the upload function for profile photos was reported via our Bug Bounty Program and promptly fixed.

1. Overview of the vulnerability

A flaw in access restrictions was found in the photo upload API used for changing LINE profile photos, making it possible for a third party to change the profile photos of other LINE accounts at will. This vulnerability affected personal-use LINE accounts, as well as LINE@ accounts, and LINE Official Accounts. It has only affected the photo upload function, and we have found no instance of passwords or personal information being compromised.

The vulnerability has been fixed as of 6:02 pm (GMT+9), August 31, 2019.

2. Our response

We received a report regarding this vulnerability through our LINE Security Bug Bounty Program. With the information provided by the reporter and through our own investigations, we determined that the vulnerability has at the very least been used between August 30–31, 2019 to tamper with the profile photos of users' LINE accounts. We have been individually contacting a number of affected users, including LINE Official Account (premium account) customers. For personal-use LINE accounts that we determined to have been affected, we have changed the profile photo to a default one and are individually contacting these users.

We have started a retroactive impact assessment after discovering that the bug was present since May 17, 2019.

In case any additional damage is identified that requires handling by LINE, we will update this report with the details and individually notify the affected users. However, as checking the profile images of all LINE accounts will require a significant amount of time, we would kindly like to ask LINE users to voluntarily check their own profile image for signs of possible tampering. 

If a tampered profile image has not been changed to a default photo, the account was likely overlooked during LINE's bug investigation. In this case, please kindly use the inquiry form below to notify LINE.

2.1 Voluntary bug investigation

2.1.1 For personal-use LINE accounts

• Please follow the steps below to check whether your account has been affected by the vulnerability.
• Check your profile image.
• If you have enabled "Share profile media updates" under the Profile setting, a notice is posted to your Timeline every time you change your profile image.If you have already corrected your profile image, please check your Timeline history for signs of involuntary tampering to your profile image.

2.1.2 For customers of LINE@ and LINE Official Account 

• Customers of LINE@ and LINE Official Account please see the instructions below.
• A correct profile image might be displayed on account managers of LINE@ and LINE Official Account, but the image might be falsely replaced on the LINE app. Please make sure to check your profile image on the LINE app. For users who are following LINE@ accounts or official accounts, please check whether the account profile images are genuine by blocking the accounts, then unblocking.
• Please also refer to the following information.
• For customers managing LINE@ accounts
  https://admin-official.line.me/announce2/20119314?accountType=at&country=US
• For customers managing LINE Official Accounts
  https://manager.line.biz/announce/20119318?country=US
• For customers of LINE Official Account who haven't migrated to the new platform
  https://admin-official.line.me/announce2/20119315?accountType=oa&country=US

3. Vulnerability timeline (Japan time)

• August 31, 2019 02:15 am: Vulnerability report received through LINE Security Bug Bounty Program
• August 31, 2019 02:25 pm: Cases of unauthorized replacements of profile images identified
• August 31, 2019 06:02 pm: Vulnerability fixed, with impact analysis and efforts to restore affected accounts underway
• August 31, 2019 11:40 pm: Notice to users posted on the sites for LINE@ and LINE Official Account managers
• September 1, 2019 12:10 am: Notice to users posted on the sites for LINE Official Account managers (new platform)
• September 1, 2019 12:47 am: Affected profile images of individual user accounts reset

4. About LINE Security Bug Bounty Program

We are accepting vulnerability reports via the LINE Security Bug Bounty Program. As of June 2019, the following vulnerabilities have been recognized as valid:

https://linecorp.com/en/security/article/213

https://bugbounty.linecorp.com/en/halloffame/

To maintain transparency, LINE Group will continue to disclose significant vulnerabilities.

5. Inquiry

Inquiry form for individual users

https://contact-cc.line.me/detailId/10095

Inquiry form for customers of LINE Official Account / LINE@ 

https://contact-cc.line.me/detailId/12698

(Valid until October 2, 2019)