CVE-2021-20835

Name of the Vulnerable Software and Affected Versions: Mercari (Merpay) - Marketplace and Mobile Payments App versions prior to 4.49.1

Description: The issue is related to improper authorization in the handler for a custom URL scheme, allowing a remote attacker to lead a user to access an arbitrary website. This website can then launch an arbitrary Activity of the app via the vulnerable App, potentially resulting in the Mercari account's access token being obtained.

Recommendations: For versions prior to 4.49.1, update to version 4.49.1 or later to resolve the issue. As a temporary workaround, consider restricting access to custom URL schemes within the app to minimize the risk of exploitation.