Published: 2015/09/16  Last Updated: 2015/09/16

Information from Newphoria Corporation

Vulnerability ID:JVN#71815309
Title:Auction Camera vulnerable to URL whitelist bypass

This is a statement from the vendor itself with no modification by JPCERT/CC.

Vulnerability in access restriction of Auction Camera has been found.
The iOS application has been removed from the AppStore.
The updated Android application has been released to the Google Play.

[Affected applications]
iOS and Android “Auction Camera” application up to version 1.1

[Detailed information]
Auction Camera could be loaded using URL scheme with the possibility to open an arbitrary page.

[Supposed effect]
In Android application it is possible to call API's on behalf of the affected application.
In iOS application it is possible to execute optional API's used by the iOS application.

[Resolution method]
Please update the application to version 1.2 or higher.

Please uninstall the application.

This vulnerability report was sent according to Information Security Early Warning partnership within regulation between our company and IPA with JPCERT/CC.
The information regarding the vulnerability was reported to us by Sprout Inc.
Our special thanks to Kenta Suefusa and Tomonori Shiomi of Sprout Inc., and also to anyone involved into Information Security Early Warning partnership.