LINE Engineering
Blog

  • Buffer overflow in PJSIP, a VoIP open source library
    Kim Youngsung 2018.02.27

    He's a security engineer at LINE. He enjoys looking for bugs and is highly interested in secure coding.

    Hi all, I am Youngsung Kim (Facebook, Twitter) of the Application Security team at LINE and am in charge of evaluating security of LINE services. On this post, I'd like to share a vulnerability (CVE-2017-16872, AST-2017-009) of PJSIP, a VoIP open source library. PJSIP is a multimedia communication library based on the following standard protocols; SIP, SDP, RTP, STUN, TURN, and ICE. The Asterisk framework, widely used on IP-PBX and VoPI gateway has an SIP stack implemented based on PJSIP.

    The cause of the vulnerability was due to incautiousness about sign extension for Integers in the process of converting signed int to unsigned long when handling client's SIP requests on 64-bit environment. There was no window to report the security issue to the PJSIP development teams, so I made my report to the Asterisk's security page. Afterwards, I've consulted with George Joseph, an engineer at Asterisk, and the patch (PJSIP patch, Asterisk patch) has been applied on the pjproject v2.7.1. I'd like to express my gratitude to George for processing the patch.

    VoIP Security Vulnerability OpenSource CVE PJSIP PJPROJECT ASTERISK AdventCalendar

    Read More

  • LINE Security Bug Bounty Program Report 2017
    Lee Myeongjae 2018.02.14

    He is a security engineer at LINE.

    Hello again, this is Myoungje Yi (MJ) from LINE's security team. I'd like to share our annual report on running the LINE Security Bug Bounty Program in 2017.

    Program scope expansion & donation option

    The 'LINE Security Bug Bounty Program' aims to provide LINE users the most secure service by fixing potential vulnerabilities in advance, by getting reports from external security researchers. As we have already mentioned in our previous post, we have expanded the program scope in 2017, which resulted in an increased number of reports submitted. In November 2017, we have added an option allowing reporters to donate their reward.

    Bug Bounty Security

    Read More

  • LINE and Intertrust Security Summit 2017 Spring, Tokyo 2
    Naohisa Ichihara 2017.08.18

    Hello, this is Ichihara from the LINE security team. I am in charge of security consultation for LINE services, providing countermeasures for account hacking and abusing, researching authentication technology, and engaging in standardization activities.

    Today, I would like to share with you an event titled, "LINE and Intertrust Security Summit 2017 Spring, Tokyo", co-hosted by LINE and Intertrust on May 17. I will cover this event over two posts; this is the second part of the recap. Have a look at the first part from here

    Here is a few basic information of the event.

    Security Intertrust

    Read More

  • LINE and Intertrust Security Summit 2017 Spring, Tokyo 1
    Naohisa Ichihara 2017.08.18

    Hello, this is Ichihara from the LINE security team. I am in charge of security consultation for LINE services, providing countermeasures for account hacking and abusing, researching authentication technology, and engaging in standardization activities.

    Today, I would like to share with you an event titled, "LINE and Intertrust Security Summit 2017 Spring, Tokyo", co-hosted by LINE and Intertrust on May 17. I will cover this event over two posts; this is the first part of the recap. Have a look at the second part from here

    Here is a few basic information of the event.

    Security Intertrust

    Read More

  • Results From First half of 2017 LINE Security Bug Bounty Program
    Lee Myeongjae 2017.08.07

    He is a security engineer at LINE.

    Scope Expansion

    Hi you all, this is MJ (Myoungjae Lee), in charge of security at LINE. I am back with a report on running the LINE Security Bug Bounty Program for the first half of 2017. For those of you who are new to this program, the purpose of this program is to provide LINE users the most secure service possible by letting external security researchers submit bug (vulnerability) reports which we would then immediately fix. Since our official launch of the program on June 2, 2016, we have expanded the program scope to include the following:

    • LINE: Chrome version and Windows 10 Mobile version
    • Website: LINE STORE, LINE NEWS, LINE MUSIC, and LINE LIVE
    • For those of you who are interested, check the press release on the program scope expansion.

    LINE-Bug-Bounty Bug-Bounty

    Read More