Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-35734: JVN#40907489: "Hulu / フールー" App for Android uses a hard-coded API key for an external service

‘Hulu / ???’ App for Android from version 3.0.47 to the version prior to 3.1.2 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app.

CVE
Open in Source
#vulnerability#android#auth

Published:2022/07/27 Last Updated:2022/07/27

Overview

“Hulu / フールー” App for Android uses a hard-coded API key for an external service.

Products Affected

  • “Hulu / フールー” App for Android version 3.0.47 or later, and prior to 3.1.2

Description

“Hulu / フールー” App for Android provided by HJ Holdings, Inc. uses a hard-coded API key for an external service (CWE-798).

Impact

The hard-coded API key may be retrieved via reverse-engineering the application binary.
Note that the application users are not directly affected by this vulnerability.

Solution

The hard-coded API key has been revoked by the developer on June 7, 2022 and this vulnerability is not exploitable now.
The developer has released “Hulu / フールー” App for Android version 3.1.2 without any API key hard-coded.

Vendor Status

Vendor

Status

Last Update

Vendor Notes

HJ Holdings, Inc.

Vulnerable

2022/07/27

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector(AV)

Physical §

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required ®

None (N)

Scope(S)

Unchanged (U)

Changed ©

Confidentiality Impact©

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:L/AC:L/Au:N/C:P/I:N/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact©

None (N)

Partial §

Complete ©

Integrity Impact(I)

None (N)

Partial §

Complete ©

Availability Impact(A)

None (N)

Partial §

Complete ©

Credit

Ryo Sato of BroadBand Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE