Published:2021/09/28  Last Updated:2021/09/28

InBody App vulnerable to information disclosure


InBody App contains an information disclosure vulnerability. This vulnerability is exploited only when InBody App works with the body composition analyzer InBody Dial.

Products Affected

The following products are affected by this vulnerability only when they work with the household body composition analyzer InBody Dial.

  • InBody App for iOS versions prior to 2.3.30
  • InBody App for Android versions prior to 2.2.90(510)


InBody App provided by InBody Japan Inc. works with the household body composition analyzer InBody Dial manufactured and sold by InBody Japan Inc., and as a part of its functions, it manages and stores data such as weight, BMI, skeletal muscle mass, and fat mass measured by InBody Dial.
InBody App contains a vulnerability which may lead to information disclosure (CWE-200) only when it works with InBody Dial. As a result, it may receive a measurement result from InBody Dial under specific conditions.


Under specific conditions, an attacker who can connect to the InBody Dial with InBody App may obtain a victim's measurement result measured by InBody Dial.


Update InBody App
Update InBody App to the latest version according to the information provided by the developer.


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 3.5
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 2.9
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2021-20832
JVN iPedia JVNDB-2021-000084