JVN#01119243
API server used by JR East Japan train operation information push notification App for Android fails to restrict access permissions
Overview
API server used by JR East Japan train operation information push notification App for Android fails to restrict access permissions.
Products Affected
- JR East Japan train operation information push notification App for Android version 1.2.4 and earlier
Description
JR East Japan train operation information push notification App for Android provided by East Japan Railway Company fails to restrict access permissions (CWE-284).
The application is no longer available/supported, and its service was ended in 2019 march 23.
Impact
A remote attacker may obtain or alter registration information of a user.
Solution
Do not use JR East Japan train operation information push notification App for Android
The application is no longer available/supported, and its service was ended in 2019 march 23. It is recommended to stop using and uninstall it.
The developer recommends that users should use JR East Japan App and/or JR East Japan Chat Bot for LINE, or check the information available through the developer's website.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| East Japan Railway Company | Vulnerable | 2019/04/01 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Tomoya Takahashi of TCU Communication engineering Club reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2019-5954 |
| JVN iPedia |
JVNDB-2019-000021 |