Published:2024/01/23  Last Updated:2024/01/24

JVN#96154238
Android App "Spoon" uses a hard-coded API key for an external service

Overview

Android App "Spoon" uses a hard-coded API key for an external service.

Products Affected

  • Android Spoon application version 7.11.1 to 8.6.0

Description

Android App "Spoon" provided by Spoon Radio Japan Inc. uses a hard-coded API key for an external service (CWE-798).

Impact

The hard-coded API key may be retrieved when the application binary is reverse-engineered.
This API key may be used for unexpected access of the associated service.

Note that the application users are not directly affected by this vulnerability.

Solution

Update the Application
Update the application to the latest version according to the information provided by the developer.
This vulnerability has been fixed in Android Spoon application version 8.6.1 or later.

Vendor Status

Vendor Link
Spoon Radio Japan Inc. Spoon: Live Stream, Talk, Chat
Recommended updates due to Android Spoon app vulnerabilities (Affected Versions: 7.11.1 to 8.6.0) (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 4.0
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:L/AC:L/Au:N/C:P/I:N/A:N
Base Score: 2.1
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Yoshihito Sakai of BroadBand Security, Inc reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-23453
JVN iPedia JVNDB-2024-000013

Update History

2024/01/24
Information under the section [Credit] was updated.