CWE-939 - Improper Authorization in Handler for Custom URL Scheme
- Abstraction:Base
- Structure:Simple
- Status:Incomplete
- Release Date:2014-02-19
- Latest Modification Date:2025-12-11
Weakness Name
Improper Authorization in Handler for Custom URL Scheme
Description
The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer's discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme.
Common Consequences
Scope: Access Control, Other
Impact: Gain Privileges or Assume Identity, Varies by Context, Bypass Protection Mechanism
Notes: An attacker can access any functionality that is inadvertently accessible to the source.
Related Weaknesses
CWE-862Missing AuthorizationHigh
CWE-940Improper Verification of Source of a Communication Channel