Notice regarding a temporary vulnerability detected on LINE’s Story function
All dates and times are indicated in JST unless noted otherwise
During the period of July 20 to October 10, 2021, we identified a vulnerability in LINE's Story function through the LINE Security Bug Bounty Program (*1). This vulnerability allowed some user information to be seen by third parties, including Story author identification data, the time of Story creation and a partial list of Friends. Please note, however, that the actual contents of the Story posts were not visible to third-parties.
The vulnerability was fixed on October 10, 2021 at 20:35 JST. There is no evidence this problem occurred outside of the listed period.
The details of our investigation are summarized below.
(*1) LINE Security Bug Bounty Program
A program operated by LINE that accepts reports on vulnerabilities in the LINE messenger app and related services, and provides rewards to those who report them.
2. Incident Assessment
The period and the scale of this vulnerability are as follows:
・ Duration: July 20, 2021 at 10:53 - October 10, 2021 at 20:35 JST
・ Information potentially exposed: The time of Story creation, Story author identification data and a partial list of Friends.
※ The contents of the Story posts were not included and could not be viewed by third parties.
・Affected users: Users who posted to Stories during the vulnerability period
・Stories potentially affected: Stories posted while the vulnerability was operating. Information was viewable for 24 hours, from the time of posting until the Story was automatically deleted.
・About the response status after the issue was identified: After the issue was identified, we promptly took action and corrected the issue at 20:35 JST on October 10, 2021.
3. Cause and prevention of recurrence
At 10:53 on July 20, 2021, a bug in the iOS version of LINE caused an increase in traffic to the Story authentication process, causing a system delay which led to the need for emergency measures. These measures resolved the system delay, but led to the Story vulnerability.
Measures to prevent recurrence:
We will take measures to prevent any recurrence by strengthening the additional verification process as part of the emergency measures and other initiatives.
4. Correspondence in chronological order (all times are JST)
July 20, 2021 at 10:53: A vulnerability occurred due to emergency measures taken to deal with a system delay.
October 10, 2021 at 16:28: The existence of vulnerability was confirmed through the LINE Security Bounty Bug Program.
October 10, 2021 at 20:35: Completed identifying the cause of the vulnerability and issue was resolved.
5. Update history
November 11, 2021: Notification posted
6. Inquiries regarding this matter
For inquiries regarding this matter, please contact us at the below link:
We sincerely apologize to our users for this issue and will make our best efforts to prevent a reoccurrence.