CVE-2023-39740 in Line
Summary
by MITRE • 10/25/2023
The leakage of the client secret in Onigiriya-musubee Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/26/2026
The vulnerability identified as CVE-2023-39740 represents a critical security flaw in the Onigiriya-musubee Line application version 13.6.1 where a client secret is inadvertently exposed in the application code or configuration files. This leakage constitutes a severe authorization bypass issue that directly compromises the security posture of the messaging platform. The client secret serves as a critical authentication credential that should remain confidential and protected from unauthorized access. When this secret becomes publicly accessible, it enables malicious actors to impersonate legitimate clients and gain unauthorized access to the platform's messaging infrastructure.
The technical exploitation of this vulnerability occurs through the manipulation of the exposed client secret to obtain channel access tokens through the Line messaging API. This process typically involves making authenticated API requests using the compromised secret to retrieve valid access tokens that grant full administrative privileges over the messaging channels. Once obtained, these tokens provide attackers with the ability to send arbitrary broadcast messages to all users within the targeted channel, effectively enabling mass message injection attacks. The vulnerability falls under CWE-209, which addresses the exposure of sensitive information through error messages, and CWE-798, which covers the use of hard-coded credentials in applications. The attack vector is particularly concerning as it requires minimal technical expertise to exploit and can be automated to target multiple channels simultaneously.
The operational impact of this vulnerability extends beyond simple unauthorized message broadcasting to encompass potential data exfiltration, service disruption, and reputational damage for organizations utilizing the Line messaging platform. Attackers can leverage the compromised access tokens to monitor user communications, inject malicious content, or even conduct phishing campaigns through the legitimate messaging infrastructure. The vulnerability creates a persistent threat vector that remains active until the exposed secret is rotated and the application is updated to remove the hardcoded credential. This issue directly maps to ATT&CK technique T1566, which covers social engineering through spearphishing, and T1071.004, which addresses application layer protocol usage for command and control communications.
Organizations affected by this vulnerability must immediately implement comprehensive remediation strategies to address the exposed client secret. The primary mitigation involves rotating all affected client secrets and updating the application configuration to remove hardcoded credentials. Security teams should implement automated scanning tools to identify hardcoded secrets in source code repositories and configuration files. Additionally, organizations should enforce strict access control policies and implement proper credential management practices including regular secret rotation, environment-specific configurations, and secure key management solutions. The application should be updated to utilize secure authentication mechanisms such as OAuth 2.0 with proper token management rather than relying on static client secrets. Regular security assessments and code reviews should be conducted to prevent similar vulnerabilities from being introduced in future releases. Network monitoring should be enhanced to detect unusual message broadcasting patterns that may indicate exploitation attempts. The vulnerability also highlights the importance of secure development lifecycle practices and adherence to security standards such as NIST SP 800-53 for protecting sensitive information and maintaining proper authentication controls within messaging platforms.