CVE-2021-20733

Vulnerability

The asken diet app (あすけんダイエット) for Android versions from v.3.0.0 to v.4.2.x implements a custom URL scheme handler that does not properly restrict which URLs can be accessed. This flaw, classified as CWE-939 (Improper Authorization in Handler for Custom URL Scheme), allows the app to be directed to any arbitrary website without proper validation [1].

Exploitation

An attacker can craft a malicious URL using the app's custom URL scheme and trick a user into clicking it (user interaction required). The vulnerable app then navigates to the attacker-specified website without any additional authentication or authorization checks [1].

Impact

Successful exploitation leads the user to an arbitrary website, which could be a phishing site designed to steal credentials or personal information. The CVSS v3.0 base score is 4.3 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating low integrity impact and no confidentiality or availability impact [1].

Mitigation

Users should update the asken diet app to the latest version according to the developer's instructions. The fixed version is not explicitly stated in the available references, but the vendor has addressed the issue in a subsequent release [1].