LINE on Securing the Application Development Lifecycle with Bug Bounties
Based in Japan, LINE Corporation is dedicated to the mission of “Closing the Distance,” bringing together information, services and people. The LINE messaging app launched in June 2011, offering users chat, voice call and video call services, as well as features like Timeline, News, and LINE Stickers. The messaging app has since grown to 167 million global monthly users. More recently, LINE has grown to provide other services like AI, fintech, blockchain, and various O2O services like LINE Delima. With so much data exchanged between their millions of users and their emerging technology channels, LINE’s security team is tasked with reducing risk across their attack surface at scale.
We recently sat down with LINE Application Security Engineer, Byoungyun Lee, to learn more about how they incorporate their bug bounty program on HackerOne into their comprehensive application security strategy. Take a look at what we learned.
Q: What are LINE’s main tenets? How do you approach application security?
In application security, we try to consider security at every stage of the development lifecycle. From the early stages of project planning, to reviewing what threats may occur, to periodically conducting security trainings so that developers can consider security in the implementation stage, all the way to monitoring and reviewing our products once implementation is complete. Whenever there are new product updates, we repeat these steps. We are also introducing automated monitoring techniques to increase efficiency and expand what can be covered. Through the bug bounty program, we are able to encourage the global community of hackers to identify any bugs that our internal security team may have missed.
HackerOne has a large hacker community and the platform necessary to operate LINE’s bug bounty program. By using HackerOne’s platform and welcoming the community, LINE can increase operational efficiency. Through the partnership with HackerOne, we can share new bugs and learn from the vulnerability trends on the Platform while also getting a guide that helps us create a successful bug bounty program.
Q: How does this tie into LINE’s philosophy and mission of driving application safety?
The evolution of technology thrives on responding to those who find vulnerabilities. LINE's security has to keep up with the security field. Our security team is constantly looking closely at the various threats and vulnerabilities found in our services, learning from them, and taking steps to improve. We share those results with the hacker community to encourage them and to get more feedback from them.
LINE has adopted a very open strategy toward security and would like to be more transparent to our users and to the hacker community. We believe we can build user trust by adopting this approach, and that it helps us build better relationships with the hacker community by giving them public recognition for their contributions.
In addition, our approach demonstrates clearly and openly how LINE handles bugs, which promotes engagement if hackers see how we work with them. We hope that will encourage them to continue working with us in the future.
Q: What are the main types of vulnerabilities that a service provider such as LINE must be aware of?
Various vulnerabilities are being discovered and corrected by the internal security team and the bug bounty participants. Traditional vulnerabilities such as XSS, SSRF, and vulnerabilities due to misconfigurations can be easily found.
However, there are highly skilled hackers that approach LINE’s services and the entire LINE ecosystem with a deeper understanding. They understand how LINE's services are connected, and how and where the internal data flows. They realize how problems can occur in-between services' relationships and report the vulnerabilities that are hard to find with traditional methods or tools. For example, hackers can connect not-so-serious problems based on that knowledge and build them into a serious threat. A minor glitch over here can trigger bigger problems over there. These kinds of problems are hard to catch and cost a lot to be fixed, and because our solutions are complex, they often require major changes to entire architectures. Service providers that operate huge ecosystems of products must be prepared for the kind of vulnerabilities that invariably exist between complex service relationships.
Q: How do you react to trends?
It is always better to find problems in the early stages of planning and design. That's why we perform security assessments at every stage of service development. It is difficult to find these types of relational vulnerabilities by just looking for vulnerabilities within very specific source codes and binaries.
During the security assessment in the planning and design stage, we assess not only technical threats, but also business-related threats, such as personal information leakage, and help the developer and business teams to make the needed fixes. In the code review and test stage, we once again assess the threats and make sure everything is safe.
Q: How does LINE work to improve the handling of security issues over time?
In addition to the above, we have also adopted various methods to develop our security:
- Developer education: In order to raise the security awareness of developers, we share the vulnerabilities found in our services from the bug bounty program through a periodic event called “BugLINE”. We also run wargame-type simulations so that developers can understand security issues by exploiting them with their own hands.
- Analysis tools: The security team is working on projects to automate static and dynamic analysis in order to efficiently use our resources and cover as many services as possible.
- Scanner: We built our own scanner to quickly identify known threats or misconfigurations automatically. This is designed specifically for LINE, and we are running it against our services and infrastructure periodically.
- Checklist: For threats that are hard to automate, we maintain a checklist generating system to help engineers eliminate risk in development. The checklist is generated automatically depending on the types and platform environments of the assessment targets, so the assessment is done efficiently.
Q: How do we learn about and deal with new types of attacks? How do we ensure that LINE security is always improving?
Most of the LINE application security teams have a history as hackers. New types of vulnerabilities always excite us. Once we encounter them, we dive in and start analyzing, and we don't stop when we just understand them — rather, we continue studying them until we find similar threats or better methods. We document the research and share it internally to improve the overall skills of our teammates. And then we perform “complete enumeration” for the threats over our infrastructure to see if there are other services with similar problems. If these tasks can be automated, we add tasks to our scanner for a complete sweep. Once the enumeration is finished, we make sure that this type of threat is always checked during future security assessments. It's either added to a scanner or to the checklist.
Q: How have the reports improved your ability to address and react to potential threat scenarios?
Those reports have been good chances for us to know what we're missing. We try to assess all services before releasing/updating, but some slip through our fingers. Old legacy services tend to not be maintained as well, and problems can hide in the shadows.
To prevent problems from happening, we have set up alert systems to sense changes in services, and we are running scanners that can find vulnerabilities in legacy systems. Through this process, we have eliminated over 200 potential threats from being released.
Q: Are there any impressive contributions from the hacker community that you would like to highlight?
There plenty of great examples, but the ones that come to mind that I encourage other hackers to check out include:
- Hacker @ngalog identified and reported an IDOR bug in September 2019. This bug had a Critical Severity score of 9 to 10. The IDOR bug would allow an intruder to take over a LINE Official Account. Ron was awarded a bounty of US$4,750 for his efforts. LINE fixed the bug, and disclosed the vulnerability after fixing it in March 2020.
- Hacker @derision identified and reported a medium severity XSS (cross site scripting) OAUTH2 login bug in September 2019 which would allow bad actors to steal user credentials through the sending of a malicious obfuscated URL to unsuspecting users who clicked through them. @derision was paid a bounty of US$1,989.50 for his efforts. LINE fixed the bug, and disclosed the vulnerability after fixing it in March 2020.
- Hacker @shaolin_tw identified and reported a high severity bug in November 2019. The bug was a HTTP Request Smuggling Attack bug on LINE's load balancers, which would have allowed bad actors to potentially intercept HTTP requests on a website, bypass security setups and gain unauthorized access to confidential data and even affect other network users. @shaolin_tw was paid a bounty of US$9,000 for his efforts. LINE fixed the bug on its load balancers, checked for other potential vulnerabilities on its infrastructure, and disclosed the vulnerability after that in May 2020.
The global hacker community is valuable to LINE, as we are able to leverage the abilities of some of the most talented hackers around the globe and adapt those results to maintain our security policies. It is also naturally clear that the more hackers we have trying to discover bugs, the more we should be able to find, creating an even safer user environment.
We recognize that money is very important for bug bounty hunters. When they find a bug, they need to be rewarded appropriately for it. So, we make sure to provide sufficient rewards for their work. And in order to induce more talented bug bounty hunters to participate, we need to give them special incentives.
Q: What do we want to achieve by being in this for the long term? What does success look like?
By working with hackers, LINE gets one more layer of security from the point of view of the hackers, providing an additional security check of LINE’s services, which moves us one step closer to our goal of a best in class security program.