Due to misconfiguration in the webview of LINE client for iOS, the data with header "Content-type" as "application/octet-stream" was treated as HTML. This could lead to a malicious Javascript execution, resulting a Cross-site scripting attack.