[CVE-2013-6986] Insecure Data Storage in Subway Ordering for Cal
--Apple-Mail=_6E5CC556-C934-4D50-A9B1-B00C270DA607
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for =
California (ZippyYum) 3.4 iOS mobile application
Published: December 7, 2013
Reported to Vendor: May 2013
CVE Reference: CVE-2013-6986=20
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2013-6986
CVSS v2 Base Score: 4.9
CVSS v2 Vector (AV:L/AC:L/Au:N/C:C/I:N/A:N/E:H/RL:U/RC:C)
Credit: This issue was discovered by Daniel E. Wood
http://www.linkedin.com/in/danielewood
Originally posted here: http://seclists.org/fulldisclosure/2013/Dec/39
Vendor: ZippyYum, LLC | http://www.zippyyum.com
Application: https://itunes.apple.com/us/app/subwayoc/id510770549?mt=3D8
Tested Version: 3.4
File: SubwayOCKiosk.app
App Name: Subway CA Kiosk
Build Time-stamp: 2012-06-07_09-20-17
1. Introduction: Subway CA is a mobile application available both on iOS =
and Android based devices that allows customers to build and order food =
menu items that can be paid for through the application using a payment =
card such as a debit or credit card. =20
2. Vulnerability Description: The application stores sensitive data =
insecurely to cache files located within =
.../Caches/com.ZippyYum.SubwayOC/ directory on the device.
Loading Cache.db and/or Cache.db-wal in a tool that can read sqlite =
databases (such as RazorSQL) will allow a malicious user to read =
unencrypted sensitive data stored in clear-text.
Sensitive data elements found within Cache.db and Cache.db-wal:
- password and encryptionKey for the application/user account
- customerPassword
- customerEmail
- deliveryStreet
- deliveryState
- deliveryZip
- paymentMethod
- paymentCardType
- paymentCardNumber
- paymentSecurityCode
- paymentExpMonth
- paymentExpYear
- paymentBillingCode
- customerPhone
- longitude (of device)
- latitude (of device)
- email
3. Vulnerability History:
May 9, 2013: Vulnerability identification
May 15, 2013: Unofficial vendor notification
August 4, 2013: Official vendor notification via report
September 20, 2013: Vulnerability remediation notification* =20
December 7, 2013: Vulnerability disclosure
*Current Version: 3.7.1 (Tested: only customerName, customerEmail, =
customerPhone, location, paymentCardType are in clear-text within =
Subway.sqlite-wal)
--Apple-Mail=_6E5CC556-C934-4D50-A9B1-B00C270DA607
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJSpoh9AAoJELujRlA1D0mmGfkH/0sdO+huxNX49k6xHIrkomeO
SfrEkBcCS2gZR0/BcIj7dj9FEaio97jlduKduj+hCx8w7Oe0BJ9bLjdmVJGOJlXW
7NgOGxt4zwqLegbBfr1Z2YHF8XLzDUwV8jY+1ivDhQy/TZDJbzZvBKuip93pcTvF
u8bzCDmzpGTfV9HApy3VE1bm1YFfsfkA9gaM1+KtCa9FM49WA6C8T7yHw1pSa+Om
V+OZU2etL9iuo2u3gvb+8nAQKXyozVUkWdCqWExaZpbpl6hExzyHNQVAqUu1jk5j
0CMMSAEBrjuyMxWBj0k5Z0f0k42f5eoMssMzH1QdLfV+9KF1vBm/fNdJRwUJyM0=
=/C3T
-----END PGP SIGNATURE-----
--Apple-Mail=_6E5CC556-C934-4D50-A9B1-B00C270DA607--