CVE-2024-23388 is a medium-severity vulnerability identified in the Mercari App for Android versions prior to 5.78.0. The issue stems from improper authorization in the handler for a custom URL scheme within the app. Custom URL schemes allow apps to be invoked or to handle specific types of links. In this case, the Mercari app's handler does not properly verify or authorize the URLs it processes, enabling a remote attacker to craft malicious URLs that, when opened by a user through the vulnerable app, redirect the user to arbitrary websites. This flaw can be exploited without any privileges or prior authentication, but it requires user interaction, such as clicking a malicious link. The vulnerability is classified under CWE-862 (Improper Authorization), indicating that the app fails to enforce correct access control on the URL handling functionality. The CVSS v3.1 base score is 6.1, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and low impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). While no known exploits are currently reported in the wild, the vulnerability poses a phishing risk by redirecting users to attacker-controlled websites, potentially leading to credential theft or other social engineering attacks. The vulnerability affects Android users of the Mercari app worldwide who have not updated to version 5.78.0 or later.

For European organizations, the primary impact of this vulnerability lies in the increased risk of phishing attacks targeting employees using the Mercari Android app. Since the vulnerability enables redirection to arbitrary websites, attackers can craft convincing phishing campaigns that exploit user trust in the Mercari app to harvest credentials or deliver malware. This can lead to compromised user accounts, unauthorized access to corporate resources if credentials are reused, and potential lateral movement within organizational networks. Additionally, organizations with employees who use the Mercari app for business or personal purposes on corporate devices may face increased risk of data leakage or compromise. The vulnerability does not directly impact the confidentiality, integrity, or availability of organizational systems but acts as an attack vector facilitating social engineering attacks. Given the app’s user base and the medium severity, the threat is more significant in sectors with high reliance on mobile commerce or where employees frequently use personal devices for work (BYOD environments).

To mitigate this vulnerability effectively, European organizations should: 1) Enforce a policy requiring all users to update the Mercari Android app to version 5.78.0 or later immediately, ensuring the patched version is installed. 2) Implement mobile device management (MDM) solutions to monitor and control app versions on corporate and BYOD devices, preventing use of vulnerable app versions. 3) Educate users about the risks of clicking on unsolicited or suspicious links, especially those that may appear to originate from trusted apps like Mercari. 4) Employ advanced email and web filtering solutions to detect and block phishing URLs that exploit this vulnerability. 5) Encourage the use of multi-factor authentication (MFA) on all critical accounts to reduce the impact of credential compromise resulting from phishing. 6) Monitor network traffic for unusual redirection patterns or access to known malicious domains that could indicate exploitation attempts. 7) Coordinate with security teams to update threat intelligence feeds with indicators related to this vulnerability once available.