LINE Messaging Bugs Open Asian Users to Cyber Espionage TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCyberattacks & Data BreachesDeja Vu: Salesforce Customers Hacked Again, Via GainsightDeja Vu: Salesforce Customers Hacked Again, Via GainsightbyNate Nelson, Contributing WriterNov 21, 20255 Min ReadApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryApplication SecurityCyber RiskMobile SecurityVulnerabilities & ThreatsNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa, and Asia Pacific.LINE Messaging Bugs Open Asian Users to Cyber EspionageIn a potential gift to geopolitical adversaries, the encrypted messaging app uses a leaky custom protocol that allows message replays, impersonation attacks, and sensitive information exposure from chats.Tara Seals, Managing Editor, News, Dark ReadingNovember 21, 20257 Min ReadSource: mauritius images GmbH via Alamy Stock PhotoLINE, a popular encrypted messaging platform used daily by millions of users in East Asia — most notably in Japan, Taiwan, Thailand, and Indonesia — is offering up a veritable buffet of attack vectors for threat actors, potentially exposing billions of messages to data leakage and misuse. That’s according to researchers Thomas Mogensen and Diego De Freitas Aranha from Aarhus University, who conducted a comprehensive security analysis of LINE's end-to-end, custom encryption protocol (E2EE), dubbed Letter Sealing v2. Among the findings, which the two will be presenting at Black Hat Europe in early December, are critical vulnerabilities that open the door to three main buckets of compromise: message replay attacks, plaintext and sticker leakage, and, most concerningly, impersonation attacks. To boot, the researchers successfully mounted man-in-the-middle (MiTM) attacks on iOS devices to verify their findings against the authentic LINE application. The implications are particularly concerning given LINE's status as a "super application" integral to the daily lives of people in the region, the researchers tell Dark Reading, handling everything from banking apps to daily communications. "In Japan, for instance, it's integrated with e-government, it's got banking, it's got games, it's got news, it's got pretty much everything," Mogensen tells Dark Reading. "People complain about this app because they can't live their life without it."Related:The AI Attack Surface: How Agents Raise the Cyber StakesA Raft of Cyberattacks to Subvert LINE Messaging SecurityOn the replay front, Mogensen and Aranha found that the protocol's stateless design enables malicious servers to resend existing encrypted messages at any time in the future, potentially changing the context and meaning of communications."A malicious server is able to replay a message that I'm sending, and it can do that so that you'll get the message however many times the server wants to send it to you, and it can be anytime in the future," explains Mogensen. "So a week from now, or even a year from now, the server's able to resend that message. Now that's a major issue, because contexts change and If I just send a message saying 'yes,' it can be an answer to a new question in the future."He noted that the server can't see the actual contents of the message, but it can replay the "ciphertext," as it's called, potentially causing confusion or making targets divulge sensitive information.Secondly, LINE's popular sticker system and URL preview features create significant plaintext leakage, the team found — in the latter case with the ability to send full website URLs (which could include secrets like credentials, token IDs, or meeting IDs) directly to the server. Related:Malicious Npm Packages Abuse Adspect Cloaking in Crypto Scam"LINE uses stickers, which are these small cute emojis," Mogensen says. "So when I text or type things in my app, my app will recommend these cute stickers instead of the words I'm typing. Locally on the app there's a dictionary, and that dictionary checks whether I have this emoji on my phone. If I don't, then it asks the server to send it."He adds, "So in practice, what that means is the plaintext I'm typing is sent to the server for emoji delivery, so the server can tell what I'm typing."Similarly, if a user is sending a website link to someone, the app shows a small preview to the recipient of what the website looks like. Again, this is a function that's server-enabled, so the server can see the full URLs."Those URLs could contain a meeting ID and a password, hidden folders, tokens … and all of those would be sent to the server as well," Mogensen notes.The third and most critical issue that the researchers uncovered is that the protocol allows impersonation attacks, where any user in a chat can forge messages from other participants."Let's say the three of us are in a group, then I would be able to impersonate you to Diego so that he thinks messages are coming from you," Mogensen explains. "In reality, I'm working with an evil server and choosing the contents. Now this goes for any group. If you are in that chat, you have access to enough knowledge to impersonate anyone you’re in there with." Related:Critical Fortinet FortiWeb WAF Bug Exploited in the WildFor any of these attacks to work, users must connect to a malicious LINE server, allowing the threat actors, both financially motivated and state-sponsored threats, to achieve a MiTM position. But meanwhile, users themselves will have no indication that the server they're using is anything other than legitimate. "To put this in context, this means LINE users are in a sense forced to put a high degree of trust in the server and the infrastructure," Aranha explains, "and they don't have many means to verify if the server is actually behaving honestly as specified in the protocol."Aranha and Mogensen plan to delve into the mechanics of the attack vectors as well as user workarounds during their session at Black Hat Europe.Cyberespionage & Threats to Civil Society in AsiaGetting targets to connect to a malicious LINE server can be done through basic social engineering, but in a corporate or geopolitical context there are broader implications to consider."All of this is a concern for anybody who wants to stay private in their messaging, and one of the big selling points of the application is that it's end-to-end encrypted," Mogensen says. "In most practical settings, most people shouldn't be concerned about high-impact attacks, but there are exceptions." For instance, a disgruntled employee in a company could be interested in sabotaging specific users. Or, more ominously, an insider threat could be bent on intellectual property theft. In either of those cases, employees would have no reason to think there's risk in using a company-approved LINE app and wouldn't question the interactions. In a geopolitical twist, an organization more broadly could be coerced by a government to act maliciously."Typically they can be compelled through the judicial system to actually break privacy of users," Aranha says. "The LINE user base is mostly in Asia, and very popular in Taiwan, for example, as an application. So I’m sure you could think of governments who would be interested in maybe compromising the security of users in Taiwan and would try to do that."No Remediation for LINE Privacy Issues on the HorizonUnfortunately for users and corporations, there are no fixes in sight for the issues that Mogensen and Aranha have identified.Adding insult to proverbial injury, despite LINE claiming to have fixed similar holes in Letter Sealing v1 back in 2019, the researchers found that the problems have persisted, and actually got worse in version 2. Mogensen and Aranha disclosed their most recent findings to LINE, which acknowledged the legitimacy of the vulnerabilities but provided limited-to-no plans for mitigating them, since the bugs are there as a result of innate features of the proprietary protocol design. The company did say there are certain user workarounds, such as changing default settings, which would close up some of the avenues of attack."It's not clear if they will redesign or upgrade the protocol in some way," says Aranha. "They tried to design a custom protocol, and I think that's the root issue. In cryptography this is a big no-no, because when you try to design a protocol, you end up repeating problems that are well known already in the literature because you're just not up to date with the state-of-the-art. We already have a bunch of protocols that are standardized."In many ways, he says, the LINE problems mirror findings for other messengers years ago that also served stickers or previews of URLs in similar manners — and that's also concerning. "The fact that a messenger that has millions of users that exchange billions of messages a year is still, let's say, aligned with the security standards of a decade ago was surprising to us," Aranha says. "They didn't react really to how the cryptography field is moving forward, how much more sensitive these applications are getting for various reasons, due to activism and the state of the world, basically. And they're still kind of running this protocol that forces users to trust them to a high degree."LINE did not immediately return a request for comment from Dark Reading.Read more about:Black Hat NewsDR Global Asia PacificAbout the AuthorTara SealsManaging Editor, News, Dark ReadingTara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.See more from Tara SealsMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The encrypted messaging platform LINE, a dominant force in East Asia including Japan, Taiwan, Thailand, and Indonesia, presents significant cybersecurity vulnerabilities that could expose users to espionage and compromise. Research conducted by Aarhus University’s Thomas Mogensen and Diego De Freitas Aranha identified critical flaws within LINE’s custom encryption protocol, dubbed Letter Sealing v2, raising serious concerns about user privacy and data security. These vulnerabilities span three primary categories: message replay attacks, plaintext and sticker leakage, and impersonation attacks.

The core issue lies in Letter Sealing v2’s stateless design. This allows malicious servers to resend encrypted messages at any time, regardless of their original context. Mogensen and Aranha demonstrated this through man-in-the-middle (MiTM) attacks on iOS devices, verifying that a server could replay messages from weeks or even years prior. This creates a situation where a message sent in the past could be reinterpreted in the present, fundamentally altering its meaning and potentially leading to confusion or the revelation of sensitive information. The server itself doesn’t examine the message’s contents, but simply resends the ciphertext.

Further compounding the problem is LINE’s reliance on its sticker system and URL preview features. The application’s recommended stickers are delivered via a server-enabled process. This means that plaintext versions of the characters typed by users are sent to the server to determine if a sticker needs to be rendered. This creates a pathway for unauthorized data exposure. Similarly, URL previews—used to display snippets of websites—are also server-enabled, allowing the server to see the full URLs, potentially uncovering sensitive credential IDs, meeting details, or other confidential information, as highlighted by Mogensen.

Perhaps the most alarming vulnerability is the ability to impersonate other participants in a group chat. Researchers demonstrated that a user could forge messages from other group members, essentially becoming a conduit for disseminating false information or engaging in deceptive activities. This capability relies on the compromised server's ability to inject messages into the conversation, blurring the lines of trust and necessitating a high degree of reliance on LINE's servers.

The vulnerabilities are exploited through connections to a malicious LINE server, which can be established through basic social engineering techniques. This isn't limited to individual users; the implications extend to corporate and geopolitical contexts. A disgruntled employee could use these flaws to sabotage operations, while state-sponsored adversaries could leverage the vulnerabilities for intellectual property theft or broader espionage activities.

The implications are particularly worrisome given LINE’s "super application" status, integrated into nearly every aspect of users’ daily lives. In Japan, LINE’s integration with e-government services, banking apps, and even news platforms creates a deeply ingrained reliance on the platform, intensifying the potential impact of these security flaws.

Notably, these vulnerabilities predate LINE’s claims of fixing similar issues in Letter Sealing v1 back in 2019, and the flaws appear to have been exacerbated in v2. Moreover, Mogensen and Aranha’s work reveals a concerning disconnect between LINE’s development practices and the evolving standards of the cryptography field, where more sensitive applications, driven by factors like activism and heightened security awareness, demand greater protections.

The problem lies, in part, with the nature of a custom protocol—a frequent source of vulnerabilities due to developers’ inability to anticipate every potential issue within a bespoke design. This mirrors findings for other messaging apps that utilize sticker or URL preview features in similar ways.

Currently, there are no immediate remediation plans from LINE. The company acknowledged the vulnerabilities but has provided limited-to-no concrete plans for redesigning or upgrading the protocol. The decision not to address the inherent issues within the Letter Sealing v2 protocol raises significant concerns about the long-term security posture of the platform.

The situation underscores a broader challenge: the difficulty of maintaining security when relying on a custom protocol, and suggests that LINE has not adapted to the advancements in cryptography standards. Until LINE takes decisive action, users remain exposed to significant risk of espionage and data compromise.