Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-939 (自定义URL方案处理程序中的授权不正确) — Vulnerability Class 12

12 vulnerabilities classified as CWE-939 (自定义URL方案处理程序中的授权不正确). AI Chinese analysis included.

CWE-939 represents a critical access control weakness where applications fail to validate the source of requests invoking custom URL schemes. This flaw typically allows malicious actors to trick users into clicking crafted links or embeds that trigger unintended actions within the target application, such as executing privileged commands or accessing sensitive data without proper authentication. Since custom schemes often serve as vital inter-application communication channels, particularly on mobile platforms like iOS, this vulnerability can lead to significant security breaches. Developers can mitigate this risk by implementing strict authorization checks within the handler logic, ensuring that only trusted or explicitly authorized applications can invoke specific scheme actions. Additionally, validating the origin of incoming requests and requiring user confirmation for sensitive operations further strengthens the application’s defense against unauthorized access and exploitation.

MITRE CWE Description
The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer's discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme.
Common Consequences (1)
Access Control, OtherGain Privileges or Assume Identity, Varies by Context, Bypass Protection Mechanism
An attacker can access any functionality that is inadvertently accessible to the source.
Mitigations (1)
Architecture and DesignUtilize a user prompt pop-up to authorize potentially harmful actions such as those modifying data or dealing with sensitive information. When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.
Examples (2)
This iOS application uses a custom URL scheme. The replaceFileText action in the URL scheme allows an external application to interface with the file incomingMessage.txt and replace the contents with the text field of the query string.
NSString *stringURL = @"appscheme://replaceFileText?file=incomingMessage.txt&text=hello"; NSURL *url = [NSURL URLWithString:stringURL]; [[UIApplication sharedApplication] openURL:url];
Good · Objective-C
- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { if (!url) { return NO; } NSString *action = [url host]; if([action isEqualToString: @"replaceFileText"]) { NSDictionary *dict = [self parseQueryStringExampleFunction:[url query]]; //this function will write contents to a specified file FileObject *objectFile = [self writeToFile:[dict objectForKey: @"file"] withText:[dict objectForKey: @"text"]]; } return YES; }
Bad · Objective-C
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }
Bad · Java
// iOS -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType { NSURL *URL = [exRequest URL]; if ([[URL scheme] isEqualToString:@"exampleScheme"]) { NSString *functionString = [URL resourceSpecifier]; if ([functionString hasPrefix:@"specialFunction"]) { // Make data available back in webview. UIWebView *webView = [self writeDataToView:[URL query]]; } return NO; } return YES; }
Bad · Objective-C
CVE IDTitleCVSSSeverityPublished
CVE-2026-35394 Mobile Next has Arbitrary Android Intent Execution via mobile_open_url — mobile-mcp 8.3 High2026-04-06
CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal — vikunja 6.1 -2026-03-24
CVE-2026-26123 Microsoft Authenticator Information Disclosure Vulnerability — Microsoft Authenticator for Android 5.5 Medium2026-03-10
CVE-2026-1046 Arbitrary application execution via unvalidated server-controlled URLs in Help menu — Mattermost 7.6 High2026-02-16
CVE-2025-67739 JetBrains TeamCity 安全漏洞 — TeamCity 3.1 Low2025-12-11
CVE-2025-41408 LY Yahoo! Shopping App 安全漏洞 — "Yahoo! Shopping" App for Android 6.1AIMediumAI2025-09-05
CVE-2024-54125 Shonen Jump+ 安全漏洞 — "Shonen Jump+" App for Android 6.1 -2024-12-17
CVE-2024-54014 Skylark Holdings Skylark App 安全漏洞 — 'Skylark' App for Android 6.5AIMediumAI2024-12-05
CVE-2024-33606 MicroDicom DICOM Viewer Improper Authorization in Handler for Custom URL Scheme — DICOM Viewer 8.8 High2024-06-11
CVE-2023-43582 Zoom Client 授权问题漏洞 — Zoom Clients 5.5 Medium2023-11-14
CVE-2022-20736 Cisco AppDynamics Controller Authorization Bypass Vulnerability — Cisco AppDynamics 5.3 Medium2022-06-15
CVE-2020-11000 Improper URL validation in GreenBrowser — GreenBrowser 5.7 Medium2020-04-08

Vulnerabilities classified as CWE-939 (自定义URL方案处理程序中的授权不正确) represent 12 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.