CWE-939: Improper Authorization in Handler for Custom URL Scheme
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
扩展描述
Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer's discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme.
潜在缓解措施
阶段: Architecture and Design
观察示例
参考: CVE-2013-5725
URL scheme has action replace which requires no user prompt and allows remote attackers to perform undesired actions.
参考: CVE-2013-5726
URL scheme has action follow and favorite which allows remote attackers to force user to perform undesired actions.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |