JVN#61297210
Money Forward Apps for Android vulnerable in the WebView class
Overview
Money Forward Apps for Android contain a vulnerability in the WebView class.
Products Affected
The following products provided by Money Forward, Inc.
- Android App Money Forward (prior to v7.18.0)
- Android App Money Forward for The Gunma Bank (prior to v1.2.0)
- Android App Money Forward for SHIGA BANK (prior to v1.2.0)
- Android App Money Forward for SHIZUOKA BANK (prior to v1.4.0)
- Android App Money Forward for SBI Sumishin Net Bank (prior to v1.6.0)
- Android App Money Forward for Tokai Tokyo Securities (prior to v1.4.0)
- Android App Money Forward for THE TOHO BANK (prior to v1.3.0)
- Android App Money Forward for YMFG (prior to v1.5.0)
The following products provided by SOURCENEXT CORPORATION
- Money Forward for AppPass (prior to v7.18.3)
- Money Forward for au SMARTPASS (prior to v7.18.0)
- Money Forward for Chou Houdai (prior to v7.18.3)
Description
Money Forward Apps for Android contain a vulnerability in the WebView class.
Impact
If a user of the affected product uses another malicious Android application, information managed by the affected product may be disclosed.
Solution
Update the application
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Money Forward, Inc. | Vulnerable | 2016/09/20 | Money Forward, Inc. website |
| Vendor | Link |
| SOURCENEXT CORPORATION | Vulnerabilities in Money Forward Apps for Android Fixed |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Comment
This analysis assumes that the user is tricked into installing a malicious application.
Credit
Kenta Suefusa, Akinori Konishi and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2016-4839 |
| JVN iPedia |
JVNDB-2016-000160 |