JVN#54025691: Gurunavi Apps fail to restrict access permissions

Gurunavi Apps provided by Gurunavi, Inc. implement the function to access a requested URL using Custom URL Scheme.
This function contains an improper access control vulnerability (CWE-284) that may allow the vulnerable App to receive an request from an arbitrary App and execute an access.

Impact

A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

Solution

Update the Application
Update the application to the latest version according to the information provided by the developer.

Products Affected

• Gurunavi App for Android ver.10.0.14 and earlier
• Gurunavi App for iOS ver.11.2.3 and earlier
  【Updated on 2021 May 24】
  When this advisory was first published on 2021 April 14, the affected versions were described as “Gurunavi App for Android ver.10.0.10 and earlier” and “Gurunavi App for iOS ver.11.1.2 and earlier”. However, it was found that the fixes were not adequate, thus above versions that contain the fixes were released later.