Published:2021/10/29  Last Updated:2021/11/24

JVN#49465877
Android App "Mercari (Merpay) - Marketplace and Mobile Payments App" (Japan version) vulnerable to improper handling of Intent

Overview

Android App "Mercari (Merpay) - Marketplace and Mobile Payments App" (Japan version) is vulnerable to improper handling of Intent.

Products Affected

  • Android App "Mercari (Merpay) - Marketplace and Mobile Payments App" (Japan version) versions prior to 4.49.1
The developer states that affected versions are no longer used at this point because the update was applied automatically when the application was launched in the past.
 

Description

Android App "Mercari (Merpay) - Marketplace and Mobile Payments App" (Japan version) provided by Mercari, Inc. is vulnerable to improper handling of Intent (CWE-939).

Impact

If a user who is using the vulnerable application accesses a malicious page, the malicious page can launch an arbitrary Activity of the application. As a result, Mercari account's access token may be obtained.

Solution

Update the application
Update the application to the latest version according to the information provided by the developer.
The developer states there is no need for users to take any actions since the application is automatically updated when it is launched.

Vendor Status

Vendor Status Last Update Vendor Notes
Mercari, Inc. Vulnerable 2021/10/29

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Base Score: 7.4
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:N/A:N
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

RyotaK reported this vulnerability to Mercari, Inc. and Mercari, Inc. reported it to JPCERT/CC to disclose the vulnerability through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20835
JVN iPedia JVNDB-2021-000096

Update History

2021/11/24
Information under the section [Vulnerability Analysis by JPCERT/CC] was added.