Published:2007/07/31  Last Updated:2008/05/21

Yayoi Kaikei improper handling of credential information


Yayoi Kaikei Quick Navigator sends user credentials unencrypted.

Products Affected

  • Yayoi Kaikei 05 Series & Yayoi Aoiro Shinkoku (blue return) 05
  • Yayoi Kaikei 06 Series & Yayoi Aoiro Shinkoku (blue return) 06 (including R2)
  • Yayoi Kaikei 07 Series & Yayoi Aoiro Shinkoku (blue return) 07 (excluding R2)
  • Yayoi Hanbai 06 Series
  • Yayoi Hanbai 07 Series (product version 10.0.1 only)
For more information, refer to the vendor's website.


Yayoi Kaikei Quick Navigator makes the user log into the vendor's server, and sends the user credentials unencrypted.


By monitoring the communication between Quick Navigator and the vendor's server, an attacker can obtain the customer number and the phone number to impersonate the user on vendor's server.


Update the Software
Updated versions of the software are available which communicate with the vendor's server over SSL.

Do not use Quick Navigator.

For more information, refer to the vendor's website.

Vendor Status

Vendor Link
Yayoi Co., Ltd.


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.07.31

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Medium
Exploit Complexity Low-Medium - some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Medium-High

Description of each analysis measures


Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
JVN iPedia JVNDB-2007-000559

Update History