LINE Chat – Unencrypted Chat Messages and Unauthorized Access to Message Attachments

Author: YoKo Kho | Posted in Bug Report, Mobile Apps, Write-Up No comments

cover - LineIllustration from Line.me

I. ABSTRACT
Sending short messages is a daily activity which is hard to be separated from the most societies in this era. Technology developing which is followed by the availability of internet packet that is easy to be achieved for most societies, is being the forerunner of the birth of the exchanging-message-service application which is no longer using the conventional ‘short messaging service’ that is offered by operator.

One of them is LINE. LINE is an exchanging-message-service application which allows the user exchanges messages free with their friends anytime and anywhere which is using the internet for communicating. Not only limited to short message, LINE is providing supports for the users to be able to send picture, video, audio, or even location to other users. Moreover, LINE is also providing a feature to do a free audio/ video call.

LINE itself is available in many platforms which is not limited to mobile platforms only, but for desktop OS. iPhone, Android, Windows Phone, Blackberry, Firefox OS, and Nokia Asha are the mobile platforms which are supported by LINE to help all the users to use it for communicating each other. Then, for desktop OS itself, LINE has supported it for Windows OS and Mac OS.

According to the statistic which has been summarized by CISO Magazine from statista.com – this LINE applications is being used by more than 400 million users in the world.

“Established in 2011, LINE has had more than 400 million user in the world, especially in Japan and Asia region. According to the survey which was released by Statista.com in February 2014, in only Indonesia itself- LINE has had 20 million users and Indonesia is the third biggest user after Thailand and Japan.”

By seeing the amount of the users which is so many and how big the exchanging-message-activity that happens in its users who might have some important data, LINE itself has given a safety feature like “passcode” that can be used by all users to save their conversation confidentiality that is being stored in the related application of the existence of unauthorized access from physical access aspect.

In this topic, we will discuss about the weaknesses of the message-saving method and attachment which are conducted by LINE for iPhone version that may be resulted to an Attacker for seeing the message’s contents that is stored in the related application, although the application has been locked by passcode or even the iPhone itself.

II. INTRODUCTION
As we have said in another simple paper of ours, passcode is a need for everyone who wants to protect their confidentiality about something which is considered to be a secret. According to the Oxford Dictionary, Passcode is “A string of characters used as a password, especially to gain access to a computer or smartphone”. In another reference, passcode is a kind of password that is generally used as a mechanism to show identity. Passcode and Password are assessed as something which are made by the user.

In general, the difference between Password and Passcode can be seen from the type of characters that are inputted. If Passcode makes the user must input (only) number, therefore in Password, the user can input a combination of alphabet, number, and symbol.

Then, let’s get to the main topic. Based on the statements above, the objective of the passcode in LINE is to prevent the existence of unauthorized access from physical access aspect. And based on the discussion in abstract part, in this LINE version (<= v.4.5.1), we have found that an Attacker will be able to see the message’s contents, contact information, or even the attachment that is consisted by a conversation which happens between a user and its friend, although the application has been locked by passcode or even the iPhone itself.

2.1. Data Definition
To shorten and keep this easy, we have written the things which are defined by “data”, so in this part, firstly we want to give a related description category of “data” which we meant in this paper. As for the data which we are talking in this simple paper is such as, contact information, message/ chat, and also attachment (audio or even picture) which has been shared.

III. AFFECTED VERSION AND CONDITION
The version of LINE Chat which has those vulnerabilities is version <= 4.5.1 (besides from “Hidden Chat” feature). Here is the list of the things that can be accessed by an Attacker, related to the vulnerabilities:
1. Read the message/ chat from the user.
2. See the sent attachment as during the user does a conversation with its friend.
3. See the contact information (phone book from the user). This situation can be happened when a user formerly has used the “Auto Add Friends” even being done locally.

For information, jailbreak is not required to be able to execute those vulnerabilities.

Nb: There is an additional note related to this thing that is need to be paid attention by the users, that the Attacker won’t be able to gain deleted conversation by the user. In other words, when a user has deleted a conversation, so that conversation will fully gone from the user’s device. So, with using “Hidden Chat” feature that has just been released since 4.5.0 version, so the user doesn’t need to be worried of those vulnerabilities.

IV. PROOF OF CONCEPT
1. Connect the iPhone with LINE inside to the PC.
2. Access “Applications” directory in iPhone with iExplorer tools such as iFunBox.
3. Go to the “LINE” application and you will see some directories and files inside the application.
4. Go to the inside of “Documents” directory and we will see some files. One of them is a file with sqlite format.

talk-sqlite on Documents Directory

Figure 1: “talk.sqlite” on Documents Directory

5. Open “talk.sqlite” file with SQLiteBrowser or such. You will face many tables in this “talk.sqlite” file.
6. After that, access the data which has been discussed in the part III, with:
6.1. Open “ZMESSAGE” table or “ZCHAT” in “talk.sqlite” for reading any messages or chats that have been done by the user.

unencrypted chat message - LINE ApplicationFigure 2: Unencrypted Message

2 - talk.sqlite - unencrypted message - zchat

Figure 3: Unencrypted Chat with User ID (for user’s Profile Picture)

6.2. Open “ZCONTACT” table on “talk.sqlite” for reading contact information from the user’s phone book. It has to be noted, that this data will only be able after the user used “Auto Add Friends” feature automatically or manually.

Contact Information - ZCONTACT

Figure 4: Contact Information – ZCONTACT

6.3. Open “Message Attachments” directory in “LINE > Library > Applications” for seeing/ accessing attachment’s contents that have been sent by the users or even their friends.

unauthorized access to message attachments

Figure 5: Unauthorized Access to Message Attachments

7. To show that this thing is not limited only to a specified iPhone or iOS version, we have done some exact tests to iOS 6.1.3 with iPhone 4s (previously with iOS 7.1.2 with iPhone 5). With the explained ways before, we have gotten an exact result from the related vulnerabilities.

another same testing on iOS 6

Figure 6: Another same testing on iOS 6

V. RESPONSE FROM DEVELOPER
With the total users that reach 400 million, which absolutely not few of them delivered some critics, complaints, or ideas in the same time, LINE can still respond fast and well related to the report which we have submitted on July 11th 2014. On that occasion, LINE has said that they would fix the vulnerabilities that we have been reported as soon as possible by trying to study where the problem is.Reply from LINE - 18 July 2014

Figure 7: Reply from LINE Customer Support

Then, we replied the response from LINE and ask for their permission for publishing this thing. Instantly, LINE replied and gave permission for us to publish it. On that occasion, LINE has informed that their development team has been succeeded to identify where the problem is, and will try to fix the vulnerabilities as great as possible.

Reply from LINE

Figure 8: Fast and Kind Response from LINE Customer Support

5.1. New Feature from LINE – “HIDDEN CHAT”
Just like answering a bit of our submitted report, LINE’s seriousness in responding this thing can be seen with their fast action by releasing the “Hidden Chat” feature that assessed by LINE as a very great way for the users who often use this application to exchange sensitive information.

“This feature is perfect for sending messages containing sensitive information or images that you only want the recipient to see.” – said LINE from their Official Blog.

With using this feature, so the messages which are stored in user’s device will be destroyed (deleted) by itself, according to the time limitation that is chosen by the users. And like the description which we have said in part III, the deleted messages won’t be available to be read by an Attacker and even by the user itself. Here is the result of the test that we have been done with using the related feature:

Hidden Chat Feature

Figure 9: Hidden Chat Feature – Secure – LINE >= v.4.5.0

It can be seen in the 230th row, the sent message by the user to their friends with using “Hidden Chat” feature won’t be shown anymore in “ZLASTMESSAGE” column (60.0 has 1 hour definition). And it can also be seen that LINE has added “ZEXPIREINTERVAL” column in this table that shows “Hidden Chat” feature has been set in the user’s device.

With seeing those things, this feature will absolutely be an answer for fixing the vulnerabilities problem. Why so? This thing is because there is possibility that the user will save their messages longer than the limited time given, but the user itself still wants to be sure that themselves are saved from the existing vulnerabilities.

However, if we see the fast respond and action of the LINE’s new feature release, it can be said that LINE will be able to release the related correction to this thing in a relative short time. Moreover, they have been succeeded in identifying where the problem is.

5.2. Timeline – Reporting
July 11th, 2014 – We sent a simple technical report through the website which is provided by LINE.
July 18th, 2014 – LINE responded our report and apologized of the lateness of the related replies to the submitted report. On this occasion, LINE has said that they will investigate the existing vulnerabilities immediately.
July 19th, 2014 – We replied the response from LINE. On this occasion, we asked the permission from LINE so we could publish this thing in our blog.
July 21th, 2014 – Line released “Hidden Chat” feature corresponding to the thing that we have said in part 5.1.

Hidden Chat

Figure 10: Hidden Chat Feature

24 July 2014 – LINE responded our reply again. In the response this time, LINE gave us permission for publishing this thing as long as there aren’t anything that is contradicted to the term of service of LINE. On this occasion, LINE has said that their development team has been succeeded to identify the existing vulnerabilities and will try to fix this thing as great as they can.

VI. SUMMARY AND RECOMMENDATION
Generally, with using this vulnerabilities, an Attacker will be able to see the saved data in LINE application and doesn’t rule out the possibility of the sensitive information in the application.

With seeing the status related to this thing, so the best recommendation that can be implemented by all users for temporary while waiting for the fixes by LINE in the short time, is:

  1. Update the used LINE version to the newest version and use the “Hidden Chat” feature that has been provided by LINE for the users.
  2. Always keep their owned iPhone from the possibility of physical access that can make an Attacker will be able to connect the related iPhone to their PC to access the available directories. Of course, this thing is only to be done temporarily until the LINE publish the newer version that has fixed this thing.
  3. Don’t use “Auto Add Friends” feature for a while until the contact information is encrypted on LINE’s “talk.sqlite”.

 

Download the paper directly from here:

Add Your Comment