| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 9 Feb 2014 00:50:02 +0800
From: kaveh ghaemmaghami <kavehghaemmaghami@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Fwd: Fwd: Re: [CVE-2013-6986] Insecure Data
Storage in Subway Ordering
WDH
---------- Forwarded message ----------
From: "Justin Ferguson" <jf@...co.net>
Date: Feb 9, 2014 12:48 AM
Subject: [Full-disclosure] Fwd: Re: [CVE-2013-6986] Insecure Data Storage
in Subway Ordering
To: "full-disclosure" <full-disclosure@...ts.grok.org.uk>
Cc:
And to call woody on his claim of my trolling him, here's the text there.
The entire thread was four emails long, inclusive of his original post.
Apparently if you say "fuck" the owasp nanny police gets butthurt.
---------- Forwarded message ----------
From: "Justin Ferguson" <jf@...co.net>
Date: Dec 19, 2013 12:11 PM
Subject: Re: [Full-disclosure] [CVE-2013-6986] Insecure Data Storage in
Subway Ordering
To: "Daniel Wood" <daniel.wood@...sp.org>
Cc:
> Storing cardholder data in cleartext is not a "bullshit bug" - read PCI
No, it's a bullshit bug. PCI doesn't regulate how the data is stored
on consumer devices, perhaps *you* should read it instead of web 2.0
drone blather. What are you going to have them do, encrypt it and
where the fuck are you storing the key? Oh great, so now I need to
have a password for all of my 34324234324 apps? or I need to give my
apps my password to a central keystore for all of my keys? ... Do you
people think or just live to see your names in psuedo e-fame lights..
> if you don't like OWASP or really any 'best practices' document or
utilize some
> common sense.
The problem isnt OWASP, its that its brought on an apocalypse of
retarded people working in security and validated them and insanely
stupid bugs like yours. Funny you should reference common sense here.
> Read the news lately...Target?
The hack doesn't even make sense. Stay tuned.
> Not sure how using a publicly available app from the Apple App Store
qualifies as signing an NDA, a legal document.
EULA dope.
> It's locally exploitable, and it includes credentials.
BREAKING: your computer stores sensitive data and you cannot store
other sensitive data (crypto keys) next to the sensitive data it
stores to secure the sensitive data.
> You apparently didn't read the full disclosure details carefully enough.
Of course not, its a fucking local "bug" about data at rest being
clear text on a local device where there is really no sane way to
secure the data other than to make the entire device more insecure.
And, its a subway application, which is a clever way of saying a
crappy web-browser for people who know how to write javascript and are
too lazy to write proper HTML to work with mobile web browsers.
> really all severity ratings are subjective anyways.
The amusing part is that you saw fit to write up a fucking advisory
for it. Seriously I didn't even write up an advisory for this
http://marc.info/?l=openbsd-bugs&m=131435177207230 even though it
would've been hilarious considering the entire internet went looking
for backdoors put in by the USG in that exact code like a month
earlier.
I'm not saying your severity rating is a joke mate, I'm saying the
fucking bug is. Couldn't you be more productive and like pull apart a
banks app and audit its xml-rpc interfaces or something? ...
> I'll give you the benefit of the doubt this time, but if you don't have
anything constructive to say you'll quickly find yourself voided as
irrelevant with me
> and within this industry.
oh noes. subway doesnt crypto its data on local storage guy is worried
i will be voided as irrelevant by someone whom himself is ...
irrelevant and proclaims to speak for an entire industry ... Don't
worry fellah, I'm sure Jeremiah Grossman still has some VC to give out
welfare to you kids.
On Thu, Dec 19, 2013 at 11:59 AM, Daniel Wood <daniel.wood@...sp.org> wrote:
> Justin,
>
> Storing cardholder data in cleartext is not a "bullshit bug" - read PCI
if you don't like OWASP or really any 'best practices' document or utilize
some common sense. Read the news lately...Target?
>
> Not sure how using a publicly available app from the Apple App Store
qualifies as signing an NDA, a legal document.
>
> It's locally exploitable, and it includes credentials. You apparently
didn't read the full disclosure details carefully enough. Maybe you should
follow your own advice you posted (sic Neutron Star commentary). What the
severity of this vulnerability is doesn't really matter in the long run. It
was fixed by the vendor and really all severity ratings are subjective
anyways.
>
> I'll give you the benefit of the doubt this time, but if you don't have
anything constructive to say you'll quickly find yourself voided as
irrelevant with me and within this industry.
>
> -D
>
>> On Dec 19, 2013, at 9:43 AM, Justin Ferguson <jf@...co.net> wrote:
>>
>> (a) its a bullshit bug, but whatever. air-quotes owasp ... air-quotes
>>
>> (b) " I have yet to receive this. I asked for a copy of the allegedly
>> signed NDA last week as well. Failure to provide a legitimate copy of
>> my sent email with a signed NDA proves to me that they forgot to have
>> me sign an NDA.". Actually, assuming there is one, and what I'm
>> reading is 3rd party company X is saying its violating an NDA they
>> signed, BUT, assuming they're just badly worded, you potentially
>> agreed to the NDA when you installed and used the application.
>>
>> Either way, its a client local mobile "bug", rating somewhere below
>> XSS on a website without login credentials. golf clap.
>>
>> On Thu, Dec 19, 2013 at 10:34 AM, Mikhail A. Utin
>> <mutin@...monwealthcare.org> wrote:
>>>
>>>
>>> Hello,
>>> I'm on your side. You are right in both how you are handling the case
and you conclusion. They failed in a few business aspects, thus responsible
for outcome. After all, legal side of our work is not less important than
IT and InfoSec technologies we use.
>>> Good luck
>>>
>>> Mikhail Utin, CISSP, PnD
>>> _____________________________________________________________
>>>
>>> Today's Topics:
>>>
>>> 1. Re: [CVE-2013-6986] Insecure Data Storage in Subway Ordering
>>> for California (ZippyYum) 3.4 iOS mobile application (Daniel Wood)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Tue, 17 Dec 2013 16:13:03 -0600
>>> From: Daniel Wood <daniel.wood@...sp.org>
>>> To: Full Disclosure Mailing List <full-disclosure@...ts.grok.org.uk>
>>> Subject: Re: [Full-disclosure] [CVE-2013-6986] Insecure Data Storage
>>> in Subway Ordering for California (ZippyYum) 3.4 iOS mobile
>>> application
>>> Message-ID: <5E0B8213-D336-4D52-9C44-2FBE931152F7@...sp.org>
>>> Content-Type: text/plain; charset="windows-1252"
>>>
>>> I would like to point out that the statements made in the emails from
mikken.tutton@...ersecworldwide.com are untrue at best, defamatory at
worst. I am not going to lambast Jeff, Mikken, or Intersec Worldwide - but
I will defend myself. Normally I would not respond to something like this
in a public forum, however, Intersec Worldwide has forced my hand due to
their untrue statements.
>>>
>>> I never signed a Non-Disclosure Agreement with Intersec Worldwide when
I started my contracting work for them. Now that?s not to say I am going
to start publishing all the vulnerabilities of their clients, far from it.
I am stating this because prior to this email going out, I was called by
Jeff Tutton the ?CISO? about the matter. We talked briefly for about 10
minutes on Wednesday, December 11, 2013. During this phone call I
mentioned the fact that no NDA had been signed. He said he would look into
this and work with his client on the matter regarding the vulnerability
disclosure. I never heard back from him or anyone at Intersec Worldwide
after this.
>>>
>>> I emailed Jeff/Intersec this morning when I saw Fyodor?s post and
Mikken?s/Intersec email alleging I violated their NDA. I gave
Jeff/Intersec until EOB today to provide the original email with the signed
NDA I sent to them, however, I have yet to receive this. I asked for a
copy of the allegedly signed NDA last week as well. Failure to provide a
legitimate copy of my sent email with a signed NDA proves to me that they
forgot to have me sign an NDA. I should not be held liable for a lapse in
their own processes. If they are able to come up with a legitimate copy of
the signed NDA and email with legitimate email headers - I will gracefully
apologize?which won?t occur since I did not sign such a document. In this
email, I also informed Jeff that I am terminating my 1099/contractor
agreement with Intersec Worldwide effective immediately.
>>>
>>> Due to the mention of legal action in their email, I have now retained
the services of an attorney and will be ready to see this matter to a
close. Instead of focusing on the fact that information was disclosed
after they had 6+ months to fix the vulnerability, they should be focusing
on the positive aspect that they were able to fix the vulnerability and
that it does not affect their product?s current release version.
>>>
>>> - Daniel Wood
>>>
>>>> On Dec 16, 2013, at 4:50 PM, Fyodor <fyodor@...p.org> wrote:
>>>>
>>>> On Fri, Dec 6, 2013 at 8:07 PM, Daniel Wood <daniel.wood@...sp.org>
wrote:
>>>> Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for
>>>> California (ZippyYum) 3.4 iOS mobile application
>>>>
>>>> Reported to Vendor: May 2013
>>>> CVE Reference: CVE-2013-6986
>>>>
>>>> Apparently you touched a nerve! If the legal threats we received for
archiving this security advisory on SecLists.org are any indication,
ZippyYum really doesn't want anyone to know they were storing users' credit
card info (including security code) and passwords in cleartext on their
phones.
>>>>
>>>> "Please remove this information from your website immediately in order
>>>> at avoid further legal action." --Mikken Tutton, CEO of ZippyYum
>>>> client IntersecWorldWide
>>>>
>>>> Of course we have ignored the threats and kept the advisory proudly
>>>> posted at: http://seclists.org/fulldisclosure/2013/Dec/39
>>>>
>>>> Here are the legal threats we received today and last Wednesday:
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Mikken Tutton <mikken.tutton@...ersecworldwide.com>
>>>> Date: Mon, Dec 16, 2013 at 1:33 PM
>>>> Subject: Fwd:
>>>> To: johnc@...k.org.uk, fyodor@...p.org, hostmaster@...ecure.org
>>>>
>>>> Dear Webmaster,
>>>>
>>>> We contacted you last week regarding some private information about
>>>> our client that you have posted on your website, in violation of
>>>> Non-Disclosure agreements we have in place with our customer Zippy
>>>> Yum. We are requesting that this information be removed immediately.
>>>> The information to which I am referring is located on this page of
>>>> your website: http://seclists.org/fulldisclosure/2013/Dec/39
>>>>
>>>> We would appreciate the courtesy of a response to our email within 48
hours so we can resolve this issue.
>>>>
>>>> If we do not receive a response, we will turn this matter over to our
attorney for legal action. Thank you for your prompt attention to this
matter.
>>>>
>>>> Sincerely,
>>>>
>>>> Mikken Tutton
>>>> CEO
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Mikken Tutton <mikken.tutton@...ersecworldwide.com>
>>>> Date: Wed, Dec 11, 2013 at 11:03 AM
>>>> Subject: Re:
>>>> To: fyodor@...p.org
>>>> Cc: johnc@...k.org.uk
>>>>
>>>> Dear Mr. Lyon,
>>>>
>>>> It has come to my attention that the attached information is posted on
your website about one of our clients. However, this information was
released to you with out authorization and is protected by the
Non-Disclosure Agreements we have in place, both with our client and also
with the contractor who submitted the information to your website in
violation of said NDA.
>>>>
>>>> Please remove this information from your website immediately in order
at avoid further legal action. Attached is a screen shot of the client
information I am referring to. Please advise if you have any questions.
>>>>
>>>> We appreciate your prompt attention to this matter.
>>>>
>>>> Thank you.
>>>>
>>>>
>>>> Sincerely,
>>>>
>>>> Mikken Tutton
>>>> CEO
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: <
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20131217/6ccba76b/attachment-0001.html
>
>>> -------------- next part --------------
>>> A non-text attachment was scrubbed...
>>> Name: signature.asc
>>> Type: application/pgp-signature
>>> Size: 496 bytes
>>> Desc: Message signed with OpenPGP using GPGMail
>>> URL: <
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20131217/6ccba76b/attachment-0001.bin
>
>>>
>>> ------------------------------
>>>
>>> Subject: Digest Footer
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> ------------------------------
>>>
>>> End of Full-Disclosure Digest, Vol 106, Issue 21
>>> ************************************************
>>> CONFIDENTIALITY NOTICE: This email communication and any attachments
may contain confidential
>>> and privileged information for the use of the designated recipients
named above. If you are
>>> not the intended recipient, you are hereby notified that you have
received this communication
>>> in error and that any review, disclosure, dissemination, distribution
or copying of it or its
>>> contents is prohibited. If you have received this communication in
error, please reply to the
>>> sender immediately or by telephone at (617) 426-0600 and destroy all
copies of this communication
>>> and any attachments. For further information regarding Commonwealth
Care Alliance's privacy policy,
>>> please visit our Internet web site at http://www.commonwealthcare.org.
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists