Critical Vulnerability In LINE Could Allow Admin Access To Official Account

A serious vulnerability existed in the messenger app LINE that allowed admin access to Official Accounts. Line not only patched the bug but also awarded a $4,750 bounty to the researcher.

LINE Vulnerability Allowing Admin Access

Bug bounty hunter Ron Chan found a serious security vulnerability affecting LINE accounts. As described in the HackerOne bug report, there was an Insecure Direct Object Reference (IDOR) vulnerability that allowed an adversary to gain admin access to a LINE Official Account.

Regarding how the exploit worked, Chan stated,

This was due to an issue where the group ID could be extracted and/or easily guessed, combined with lack of authentication, leading to being able to craft a request that resulted in being given administration rights to that LINE Official Account.

The researcher reported the flaw to Line via their bug bounty program on HackerOne in September 2019. This bug leading to a privilege escalation and achieved a critical severity rating with a score of 9-10. Following his report, LINE worked on a fix to eliminate the flaw.

The vendors awarded a bounty of $4,750 to Chan for reporting the vulnerability.

Previous Security Incident With LINE Accounts

This critical severity bug report comes right after a massive security incident affecting thousands of LINE accounts. In February, LINE disclosed a wave of unauthorized account logins compromising 4000+ accounts, including a majority of users from Japan.

As elaborated in their advisory, investigations revealed that the attackers behind the hacking campaign abused the compromised accounts to send spammy and phishing messages to permanently hijack LINE accounts.

Following the incident, LINE reset passwords of affected accounts alongside implementing other security measures.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients