ZippyYum 3.4 Insecure Data Storage

2013.12.08
Risk: High
Local: Yes
Remote: No
CWE: CWE-310


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application Published: DATE Reported to Vendor: May 2013 CVE Reference: CVE-2013-6986 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6986 CVSS v2 Base Score: 4.9 CVSS v2 Vector (AV:L/AC:L/Au:N/C:C/I:N/A:N/E:H/RL:U/RC:C) Credit: This issue was discovered by Daniel E. Wood http://www.linkedin.com/in/danielewood Vendor: ZippyYum, LLC | http://www.zippyyum.com Application: https://itunes.apple.com/us/app/subwayoc/id510770549?mt=8 Tested Version: 3.4 File: SubwayOCKiosk.app App Name: Subway CA Kiosk Build Time-stamp: 2012-06-07_09-20-17 1. Introduction: Subway CA is a mobile application available both on iOS and Android based devices that allows customers to build and order food menu items that can be paid for through the application using a payment card such as a debit or credit card. 2. Vulnerability Description: The application stores sensitive data insecurely to cache files located within ../Caches/com.ZippyYum.SubwayOC/ directory on the device. Loading Cache.db and/or Cache.db-wal in a tool that can read sqlite databases (such as RazorSQL) will allow a malicious user to read unencrypted sensitive data stored in clear-text. Sensitive data elements found within Cache.db and Cache.db-wal: - password and encryptionKey for the application/user account - customerPassword - customerEmail - deliveryStreet - deliveryState - deliveryZip - paymentMethod - paymentCardType - paymentCardNumber - paymentSecurityCode - paymentExpMonth - paymentExpYear - paymentBillingCode - customerPhone - longitude (of device) - latitude (of device) - email 3. Vulnerability History: May 9, 2013: Vulnerability identification May 15, 2013: Unofficial vendor notification August 4, 2013: Official vendor notification via report September 20, 2013: Vulnerability remediation notification* December 7, 2013: Vulnerability disclosure *Current Version: 3.7.1 (Tested: only customerName, customerEmail, customerPhone, location, paymentCardType are in clear-text within Subway.sqlite-wal)

References:

https://itunes.apple.com/us/app/subwayoc/id510770549?mt=8


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top