Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30147
HistoryDec 30, 2013 - 12:00 a.m.

[CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application

2013-12-3000:00:00
vulners.com
27

Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application

Published: December 7, 2013
Reported to Vendor: May 2013
CVE Reference: CVE-2013-6986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6986

CVSS v2 Base Score: 4.9
CVSS v2 Vector (AV:L/AC:L/Au:N/C:C/I:N/A:N/E:H/RL:U/RC:C)

Credit: This issue was discovered by Daniel E. Wood
http://www.linkedin.com/in/danielewood

Originally posted here: http://seclists.org/fulldisclosure/2013/Dec/39

Vendor: ZippyYum, LLC | http://www.zippyyum.com
Application: https://itunes.apple.com/us/app/subwayoc/id510770549?mt=8
Tested Version: 3.4

File: SubwayOCKiosk.app
App Name: Subway CA Kiosk
Build Time-stamp: 2012-06-07_09-20-17

  1. Introduction: Subway CA is a mobile application available both on iOS and Android based devices that allows customers to build and order food menu items that can be paid for through the application using a payment card such as a debit or credit card.

  2. Vulnerability Description: The application stores sensitive data insecurely to cache files located within …/Caches/com.ZippyYum.SubwayOC/ directory on the device.

Loading Cache.db and/or Cache.db-wal in a tool that can read sqlite databases (such as RazorSQL) will allow a malicious user to read unencrypted sensitive data stored in clear-text.

Sensitive data elements found within Cache.db and Cache.db-wal:

  • password and encryptionKey for the application/user account
  • customerPassword
  • customerEmail
  • deliveryStreet
  • deliveryState
  • deliveryZip
  • paymentMethod
  • paymentCardType
  • paymentCardNumber
  • paymentSecurityCode
  • paymentExpMonth
  • paymentExpYear
  • paymentBillingCode
  • customerPhone
  • longitude (of device)
  • latitude (of device)
  • email
  1. Vulnerability History:
    May 9, 2013: Vulnerability identification
    May 15, 2013: Unofficial vendor notification
    August 4, 2013: Official vendor notification via report
    September 20, 2013: Vulnerability remediation notification*
    December 7, 2013: Vulnerability disclosure

*Current Version: 3.7.1 (Tested: only customerName, customerEmail, customerPhone, location, paymentCardType are in clear-text within Subway.sqlite-wal)

Related for SECURITYVULNS:DOC:30147