CVE-2020-5604 in Mercari App
Summary
by MITRE
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/09/2020
The vulnerability identified as CVE-2020-5604 affects the Japanese version of the Mercari mobile application prior to version 3.52.0, representing a critical security flaw that enables remote code execution through a man-in-the-middle attack vector. This vulnerability specifically targets the application's WebView component which processes JavaScript code and exposes an unsafe interface to Java objects through the Java Reflection API. The flaw arises from improper input validation and sanitization within the application's webview implementation, allowing malicious actors to inject JavaScript code that can invoke arbitrary Java methods through reflection mechanisms. The security implications extend beyond simple data theft as this vulnerability can be exploited to execute arbitrary code on the victim's device, potentially leading to full system compromise.
The technical exploitation of this vulnerability occurs through a man-in-the-middle attack scenario where an attacker intercepts network traffic between the mobile application and its backend services. The attacker can manipulate the JavaScript code executed within the WebView component to leverage the Java Reflection API, which provides runtime access to class information and method invocation capabilities. This allows the attacker to bypass normal access controls and execute methods on Java objects that should otherwise be restricted. The vulnerability is classified under CWE-94 as "Improper Control of Generation of Code ('Code Injection')" and specifically relates to CWE-74 as "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')." The attack pattern aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: JavaScript" and T1190 for "Exploit Public-Facing Application" within the enterprise attack framework.
The operational impact of this vulnerability is severe as it enables attackers to perform a wide range of malicious activities including but not limited to data exfiltration, credential theft, device manipulation, and potential persistence mechanisms. Mobile applications using WebView components with unsafe JavaScript-to-Java bridge implementations are particularly vulnerable, as the reflection API provides attackers with extensive capabilities to interact with the underlying Android framework. The vulnerability can be exploited to access sensitive user data, perform unauthorized transactions, or even escalate privileges within the application's security context. The remote nature of the attack means that users can be compromised without their knowledge simply by using the vulnerable application while connected to an unsecured network, making this a particularly dangerous flaw in mobile applications that handle sensitive user information.
Mitigation strategies for CVE-2020-5604 should focus on implementing proper input validation and sanitization for all JavaScript code executed within WebView components. The primary fix involves updating the Mercari application to version 3.52.0 or later, which includes proper restrictions on Java Reflection API usage and enhanced security controls for JavaScript-to-Java communication. Organizations should also implement secure coding practices such as avoiding direct method exposure through WebView bridges, using whitelisting mechanisms for allowed Java methods, and implementing proper certificate pinning to prevent man-in-the-middle attacks. Additional defensive measures include network-level protections such as SSL/TLS inspection controls, regular security audits of mobile application code, and monitoring for suspicious network traffic patterns. The vulnerability highlights the importance of following secure mobile application development guidelines and implementing proper security controls throughout the software development lifecycle to prevent similar flaws from occurring in future versions of the application.