New Bug in Studyplus application could allow attackers to exploit data

In “Studyplus” provided by Studyplus Co., Ltd., there is a problem
( CWE-798 ) in which the API key of the external service is hard-coded.

Friday, November 6, 2020, 10:38 GMT

It is possible to analyze the data in the app and to snatch the API key for connecting with external services.
Notice that product consumers are not specifically impacted by this flaw.

The following person, based on the Information Security Early Warning Relationship, and JPCERT / CC coordinated with the developer, reported this vulnerability information to IPA.

Reporter: Ryu Sato

Solution:

Update to the new update based on the developer’s details given.

The API key has been removed from the software in the updated update, according to the developer.


As the API key has already been invalidated, it is not possible to use the details found in the software version affected by this flaw.