Login Sign Up

CVE-2024-41918

6.1 MEDIUM
Authentication Bypass

📋 TL;DR

The Rakuten Ichiba mobile apps for Android and iOS contain an improper authorization vulnerability in their custom URL scheme handlers. This allows other installed apps to launch arbitrary websites within the app's WebView, potentially redirecting users to phishing sites. Users of Rakuten Ichiba Android version 12.4.0 and earlier or iOS version 11.7.0 and earlier are affected.

💻 Affected Systems

Products:
  • Rakuten Ichiba App for Android
  • Rakuten Ichiba App for iOS
Versions: Android: 12.4.0 and earlier, iOS: 11.7.0 and earlier
Operating Systems: Android, iOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires another malicious app installed on the same device to exploit via Intent/URL scheme.

📦 What is this software?

Ichiba by Rakuten

View all CVEs affecting Ichiba →

Ichiba by Rakuten

View all CVEs affecting Ichiba →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be redirected to sophisticated phishing sites that steal login credentials, payment information, or install malware through the app's trusted context.

🟠

Likely Case

Users are redirected to phishing sites attempting to steal Rakuten account credentials or payment information through the app's WebView.

🟢

If Mitigated

With proper URL validation and authorization checks, only legitimate Rakuten URLs would be allowed, preventing external manipulation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to have a malicious app installed that can trigger the vulnerable URL scheme. No authentication needed for the attack itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android: 12.4.1+, iOS: 11.7.1+

Vendor Advisory: https://jvn.jp/en/jp/JVN56648919/

Restart Required: No

Instructions:

1. Open Google Play Store or Apple App Store. 2. Search for 'Rakuten Ichiba'. 3. Update to latest version (Android 12.4.1+ or iOS 11.7.1+). 4. No restart required after update.

🔧 Temporary Workarounds

Uninstall suspicious apps

all

Remove any unfamiliar or untrusted apps that could exploit the vulnerability

Disable app links/URL handling

all

In Android/iOS settings, disable the Rakuten app from opening links (temporary workaround)

🧯 If You Can't Patch

  • Uninstall the Rakuten Ichiba app until patched version is available
  • Use Rakuten website instead of mobile app for shopping activities

🔍 How to Verify

Check if Vulnerable:

Check app version in device settings: Android: Settings > Apps > Rakuten Ichiba > App info; iOS: Settings > General > iPhone Storage > Rakuten Ichiba

Check Version:

Not applicable - check via device settings as described

Verify Fix Applied:

Verify app version is Android 12.4.1+ or iOS 11.7.1+ after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual URL scheme activations from other apps
  • WebView loading non-Rakuten domains

Network Indicators:

  • App connecting to unexpected domains through WebView
  • HTTPS traffic to non-Rakuten shopping/phishing sites

SIEM Query:

Not applicable for typical mobile app deployment

📊 Metadata

CVE ID: CVE-2024-41918
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-862
Published: August 29, 2024
Last Updated: August 30, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41918, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)