lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 6 Dec 2013 22:07:46 -0600
From: Daniel Wood <daniel.wood@...sp.org>
To: full-disclosure@...ts.grok.org.uk
Subject: [CVE-2013-6986] Insecure Data Storage in Subway
 Ordering for California (ZippyYum) 3.4 iOS mobile application

Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for
California (ZippyYum) 3.4 iOS mobile application

Published: DATE
Reported to Vendor: May 2013
CVE Reference: CVE-2013-6986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6986

CVSS v2 Base Score: 4.9
CVSS v2 Vector (AV:L/AC:L/Au:N/C:C/I:N/A:N/E:H/RL:U/RC:C)

Credit: This issue was discovered by Daniel E. Wood
http://www.linkedin.com/in/danielewood

Vendor: ZippyYum, LLC | http://www.zippyyum.com
Application: https://itunes.apple.com/us/app/subwayoc/id510770549?mt=8
Tested Version: 3.4

File: SubwayOCKiosk.app
App Name: Subway CA Kiosk
Build Time-stamp: 2012-06-07_09-20-17

1. Introduction: Subway CA is a mobile application available both on iOS
and Android based devices that allows customers to build and order food
menu items that can be paid for through the application using a payment
card such as a debit or credit card.

2. Vulnerability Description: The application stores sensitive data
insecurely to cache files located within ../Caches/com.ZippyYum.SubwayOC/
directory on the device.

Loading Cache.db and/or Cache.db-wal in a tool that can read sqlite
databases (such as RazorSQL) will allow a malicious user to read
unencrypted sensitive data stored in clear-text.

Sensitive data elements found within Cache.db and Cache.db-wal:
- password and encryptionKey for the application/user account
- customerPassword
- customerEmail
- deliveryStreet
- deliveryState
- deliveryZip
- paymentMethod
- paymentCardType
- paymentCardNumber
- paymentSecurityCode
- paymentExpMonth
- paymentExpYear
- paymentBillingCode
- customerPhone
- longitude (of device)
- latitude (of device)
- email

3. Vulnerability History:
May 9, 2013: Vulnerability identification
May 15, 2013: Unofficial vendor notification
August 4, 2013: Official vendor notification via report
September 20, 2013: Vulnerability remediation notification*
December 7, 2013: Vulnerability disclosure

*Current Version: 3.7.1 (Tested: only customerName, customerEmail,
customerPhone, location, paymentCardType are in clear-text within
Subway.sqlite-wal)

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ