lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 16 Dec 2013 14:50:32 -0800
From: Fyodor <fyodor@...p.org>
To: Full Disclosure Mailing List <full-disclosure@...ts.grok.org.uk>
Subject: Re: [CVE-2013-6986] Insecure Data Storage in
 Subway Ordering for California (ZippyYum) 3.4 iOS mobile application

On Fri, Dec 6, 2013 at 8:07 PM, Daniel Wood <daniel.wood@...sp.org> wrote:

> Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for
> California (ZippyYum) 3.4 iOS mobile application
>
> Reported to Vendor: May 2013
> CVE Reference: CVE-2013-6986
>

Apparently you touched a nerve!  If the legal threats we received for
archiving this security advisory on SecLists.org are any indication,
ZippyYum really doesn't want anyone to know they were storing users' credit
card info (including security code) and passwords in cleartext on their
phones.

"Please remove this information from your website immediately in order at
avoid further legal action." --Mikken Tutton, CEO of ZippyYum client
IntersecWorldWide

Of course we have ignored the threats and kept the advisory proudly posted
at: http://seclists.org/fulldisclosure/2013/Dec/39

Here are the legal threats we received today and last Wednesday:

---------- Forwarded message ----------
From: Mikken Tutton <mikken.tutton@...ersecworldwide.com>
Date: Mon, Dec 16, 2013 at 1:33 PM
Subject: Fwd:
To: johnc@...k.org.uk, fyodor@...p.org, hostmaster@...ecure.org

Dear Webmaster,

We contacted you last week regarding some private information about our
client that you have posted on your website, in violation of Non-Disclosure
agreements we have in place with our customer Zippy Yum. We are requesting
that this information be removed immediately. The information to which I am
referring is located on this page of your website:
http://seclists.org/fulldisclosure/2013/Dec/39

We would appreciate the courtesy of a response to our email within 48 hours
so we can resolve this issue.

If we do not receive a response, we will turn this matter over to our
attorney for legal action. Thank you for your prompt attention to this
matter.

Sincerely,

Mikken Tutton
CEO


---------- Forwarded message ----------
From: Mikken Tutton <mikken.tutton@...ersecworldwide.com>
Date: Wed, Dec 11, 2013 at 11:03 AM
Subject: Re:
To: fyodor@...p.org
Cc: johnc@...k.org.uk

Dear Mr. Lyon,

It has come to my attention that the attached information is posted on your
website about one of our clients. However, this information was released to
you with out authorization and is protected by the Non-Disclosure
Agreements we have in place, both with our client and also with the
contractor who submitted the information to your website in violation of
said NDA.

Please remove this information from your website immediately in order at
avoid further legal action. Attached is a screen shot of the client
information I am referring to. Please advise if you have any questions.

We appreciate your prompt attention to this matter.

Thank you.


Sincerely,

Mikken Tutton
CEO

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists