JVN#63023305
InBody App vulnerable to information disclosure
Overview
InBody App contains an information disclosure vulnerability. This vulnerability is exploited only when InBody App works with the body composition analyzer InBody Dial.
Products Affected
The following products are affected by this vulnerability only when they work with the household body composition analyzer InBody Dial.
- InBody App for iOS versions prior to 2.3.30
- InBody App for Android versions prior to 2.2.90(510)
Description
InBody App provided by InBody Japan Inc. works with the household body composition analyzer InBody Dial manufactured and sold by InBody Japan Inc., and as a part of its functions, it manages and stores data such as weight, BMI, skeletal muscle mass, and fat mass measured by InBody Dial.
InBody App contains a vulnerability which may lead to information disclosure (CWE-200) only when it works with InBody Dial. As a result, it may receive a measurement result from InBody Dial under specific conditions.
Impact
Under specific conditions, an attacker who can connect to the InBody Dial with InBody App may obtain a victim's measurement result measured by InBody Dial.
Solution
Update InBody App
Update InBody App to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| InBody Japan Inc. | InBody Dial App update information for enhanced security (Text in Japanese) |
| InBody - App Store | |
| InBody - Google Play |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-20832 |
| JVN iPedia |
JVNDB-2021-000084 |