Category Archives: Security

Introducing AIR GO

AIR GO is an app vulnerability scanning service for finding vulnerabilities in Android or iOS app package files (apk or ipa). AIR GO is somewhat similar to SandDroid, an open source project. Recently, LINE has been using AIR GO to check LINE apps for vulnerabilities before they are released, to provide secure services to LINE users. Anyone can access AIR GO simply by registering their email address. Actually, AIR GO had been introduced on the LINE website previously; today, I’d like to discuss about it in more of a developer’s point of view.

airgo_main

LINE Security Bug Bounty Program Report 2018 – First half

This is Myeongjae Lee (MJ), back with our report on running the LINE Security Bug Bounty program from January till June this year. The ‘LINE Security Bug Bounty Program’ aims to provide LINE users the most secure service by fixing potential vulnerabilities in advance, by getting reports from external security researchers.

Buffer overflow in PJSIP, a VoIP open source library

Hi all, I am Youngsung Kim (Facebook, Twitter) of the Application Security team at LINE and am in charge of evaluating security of LINE services. On this post, I’d like to share a vulnerability (CVE-2017-16872, AST-2017-009) of PJSIP, a VoIP open source library. PJSIP is a multimedia communication library based on the following standard protocols; SIP, SDP, RTP, STUN, TURN, and ICE. The Asterisk framework, widely used on IP-PBX and VoPI gateway has an SIP stack implemented based on PJSIP.

The cause of the vulnerability was due to incautiousness about sign extension for Integers in the process of converting signed int to unsigned long when handling client’s SIP requests on 64-bit environment. There was no window to report the security issue to the PJSIP development teams, so I made my report to the Asterisk’s security page. Afterwards, I’ve consulted with George Joseph, an engineer at Asterisk, and the patch (PJSIP patch, Asterisk patch) has been applied on the pjproject v2.7.1. I’d like to express my gratitude to George for processing the patch.

LINE Security Bug Bounty Program Report 2017

Hello again, this is Myoungje Yi (MJ) from LINE’s security team. I’d like to share our annual report on running the LINE Security Bug Bounty Program in 2017.

Program scope expansion & donation option

The ‘LINE Security Bug Bounty Program’ aims to provide LINE users the most secure service by fixing potential vulnerabilities in advance, by getting reports from external security researchers. As we have already mentioned in our previous post, we have expanded the program scope in 2017, which resulted in an increased number of reports submitted. In November 2017, we have added an option allowing reporters to donate their reward.

LINE and Intertrust Security Summit 2017 Spring, Tokyo 1

Hello, this is Ichihara from the LINE security team. I am in charge of security consultation for LINE services, providing countermeasures for account hacking and abusing, researching authentication technology, and engaging in standardization activities.

Today, I would like to share with you an event titled, “LINE and Intertrust Security Summit 2017 Spring, Tokyo”, co-hosted by LINE and Intertrust on May 17. I will cover this event over two posts; this is the first part of the recap. Have a look at the second part from here

Here is a few basic information of the event.


LINE and Intertrust Security Summit 2017 Spring, Tokyo 2

Hello, this is Ichihara from the LINE security team. I am in charge of security consultation for LINE services, providing countermeasures for account hacking and abusing, researching authentication technology, and engaging in standardization activities.

Today, I would like to share with you an event titled, “LINE and Intertrust Security Summit 2017 Spring, Tokyo”, co-hosted by LINE and Intertrust on May 17. I will cover this event over two posts; this is the second part of the recap. Have a look at the first part from here

Here is a few basic information of the event.


Results From First half of 2017 LINE Security Bug Bounty Program

Scope Expansion

Hi you all, this is MJ (Myoungjae Lee), in charge of security at LINE. I am back with a report on running the LINE Security Bug Bounty Program for the first half of 2017. For those of you who are new to this program, the purpose of this program is to provide LINE users the most secure service possible by letting external security researchers submit bug (vulnerability) reports which we would then immediately fix. Since our official launch of the program on June 2, 2016, we have expanded the program scope to include the following:

  • LINE: Chrome version and Windows 10 Mobile version
  • Website: LINE STORE, LINE NEWS, LINE MUSIC, and LINE LIVE
  • For those of you who are interested, check the press release on the program scope expansion.

BigDB – an ad data pipeline for LINE

Before we begin

Hello, we are Jongkyu Lim and Joonghoon Shin responsible for processing of ads data and development of ads platform in LINE. In this blog post, I’d like to talk about BigDB: a big data processing pipeline for LINE ads. I’ll go into detail about how BigDB came to be, what BigDB is, how it’s structured, what it does, and what use cases it has.

How BigDB came to be

As we gather data from various services that are growing in size, the size of the data grows larger as well, making it difficult to properly use them for analysis. Up until now, we’ve used several open solutions that support big data to tackle this problem. While using several of these open solutions that have different strengths and weaknesses, we felt the need for a more simple and standardized way to collect, process, and look up data. And that is where the idea for BigDB began. Below are some of the key features we had in mind for BigDB.

Introducing BigDB

What is BigDB

BigDB is a big data processing pipeline for LINE ads. It can collect, reprocess, and look up data. LINE ads are analyzed in two ways: The first is in real-time whenever an ad is shown to a user. The second is batch analysis, where events are collected and analyzed after a set time, such as hourly or daily. BigDB fluidly provides the data used for analysis. Sometimes combining time series and static data if necessary.

Outcomes of the LINE Security Bug Bounty Program

About the LINE Security Bug Bounty Program

Hello, my name is Lee Myoung Jae (MJ) and I’m in charge of security at LINE. In this post I’m going to talk about the LINE Security Bug Bounty Program and the results of the program in 2016. The LINE Security Bug Bounty Program is an ongoing program to make the LINE app more secure for our users by letting external engineers submit bug (vulnerability) reports which we would then immediately fix.

We first conducted a trial run of the program called the LINE Bug Bounty Program from August 24 to September 23 in 2015. Based on our experience from that trial, we made various changes to create an improved bug bounty program for 2016. And on June 2, 2016, we launched the new and improved LINE Security Bug Bounty Program.

For more information about the LINE Bug Bounty Program, see our previous blog posts: “Introducing the LINE Bug Bounty Program” and “Results From the LINE Bug Bounty”

LINE Security Bug Bounty Program website: https://bugbounty.linecorp.com/

Results From the LINE Bug Bounty

Preparing the Bug Bounty Program

Hello. I am MJ, a LINE security engineer.

In this post I would like to share the results of the 2015 LINE Bug Bounty (August 24-September 23). As our first ever bug bounty program, we are very pleased with how well the program came together.

The core objective of the program was to discover and fix potential vulnerabilities in our services so that our users can enjoy them safely. Several departments lent us a hand in preparing the program and we could not have done it without them.