JVN#93167107: Android App "Mercari" (Japan version) vulnerable to arbitrary method execution of Java object

Android App “Mercari” (Japan version) provided by Mercari, Inc. contains vulnerability which may allow arbitrary Java method execution (CWE-749) due to inadequate restrictions on addJavascriptInterface of WebView class.

Impact

An arbitrary method of a Java object may be executed by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.

Solution

Update the Application
This vulnerability is addressed by updating the application to the latest version.
According to the developer, there is no need for users to take any actions since the application is automatically updated when it is launched, and the affected API level is no longer in use in the current versions of the application.

Products Affected

• Android App “Mercari” (Japan version) prior to version 3.52.0
  According to the developer, affected versions are no longer used at this point because the update was applied automatically when the application was launched in the past.