CVE-2024-35298 – This vulnerability allows malicious Android app... (How to Fix)

Q: What is the severity of CVE-2024-35298?

CVE-2024-35298 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows malicious Android apps to trick the ZOZOTOWN shopping app into opening arbitrary websites via custom URL schemes. Attackers could exploit this to launch phishing attacks against users. Only Android users with ZOZOTOWN versions before 7.39.6 are affected.

📋 TL;DR

This vulnerability allows malicious Android apps to trick the ZOZOTOWN shopping app into opening arbitrary websites via custom URL schemes. Attackers could exploit this to launch phishing attacks against users. Only Android users with ZOZOTOWN versions before 7.39.6 are affected.

💻 Affected Systems

Products:

ZOZOTOWN Android App

Versions: All versions prior to 7.39.6

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user to have both ZOZOTOWN app and a malicious app installed on same device.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be redirected to sophisticated phishing sites that steal login credentials, payment information, or install malware through social engineering.

🟠

Likely Case

Users are tricked into visiting fake ZOZOTOWN or payment pages that harvest credentials or personal information.

🟢

If Mitigated

With proper app permissions and user awareness, impact is limited to annoyance from unwanted browser redirects.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking malicious link) but is technically simple for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.39.6

Vendor Advisory: https://jvn.jp/en/jp/JVN37818611/

Restart Required: No

Instructions:

1. Open Google Play Store 2. Search for ZOZOTOWN 3. Tap Update button 4. Verify version is 7.39.6 or higher

🔧 Temporary Workarounds

Disable app links handling

android

Prevent ZOZOTOWN from handling custom URL schemes

Android Settings > Apps > ZOZOTOWN > Open by default > Clear defaults

🧯 If You Can't Patch

Uninstall ZOZOTOWN app and use web browser version instead
Install reputable mobile security app to detect malicious applications

🔍 How to Verify

Check if Vulnerable:

Check app version in Android Settings > Apps > ZOZOTOWN > App info

Check Version:

Not applicable - check via Android UI

Verify Fix Applied:

Confirm version is 7.39.6 or higher in app settings

📡 Detection & Monitoring

Log Indicators:

Unexpected URL scheme launches from other apps to ZOZOTOWN

Network Indicators:

ZOZOTOWN app connecting to non-zozo.co.jp domains

SIEM Query:

Not applicable for mobile app vulnerability

📊 Metadata

CVE ID: CVE-2024-35298

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-939

Published: June 19, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35298, you might also want to check these: