Vulnerability in Line messaging app lets hackers control your chat

Vulnerability bounty programs keep showing their effectiveness even in the midst of a worldwide pandemic. Researcher Ron Chan, a cyber security consulting specialists has revealed the discovery of a serious security vulnerability affecting users of messaging platform LINE.

The security flaw was disclosed through HackerOne, which has reported that this is an Insecure Direct Object Reference (IDOR) vulnerability that could allow threat actors to obtain admin access to any LINE account.

In his report about the discovery, the cyber security consulting specialist mentioned: This flaw exists due to an issue where the group ID could be extracted; in other cases it could be easily guessed. In combination with lack of authentication, this security flaw allows hackers to send a specially crafted request that grants them administration rights in the target LINE Official Account.

Chan reported the flaw to Line through the company’s vulnerability bounty program, operated by HackerOne, last September 2019. Cyber security consulting specialists claim that this flaw could lead to a privilege escalation and it is considered as a high severity issue. Shortly after receiving the report, LINE started working to launch a fix to address this flaw. LINE awarded a $4,750 USD bounty to the researcher.

This is not the only security issue affecting the messaging service recently discovered. Last February, the company publicly disclosed a malicious campaign involving thousands of unauthorized login attempts; most of the affected users (about 4,000 individuals) were located in Japan.

In that occasion, researchers revealed that threat actors behind this malicious campaign attacked accounts were delivered tens of spam and phishing messages aiming to hijack their LINE accounts. As a security measure, LINE forced a massive password reset, among other preventive measures.

For more information on newly discovered security flaws, exploits and cyberattacks, you can visit the official website of the International Institute of Cyber Security (IICS), in addition to the official communication platforms of tech companies.