Basically what the below is telling you is: If you eat at Subway, DON’T use your debit or credit card.
Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for
California (ZippyYum) 3.4 iOS mobile application
Reported to Vendor: May 2013
CVE Reference: CVE-2013-6986
CVSS v2 Base Score: 4.9
CVSS v2 Vector (AV:L/AC:L/Au:N/C:C/I:N/A:N/E:H/RL:U/RC:C)
Credit: This issue was discovered by Daniel E. Wood
Vendor: ZippyYum, LLC | http://www.zippyyum.com
Tested Version: 3.4
App Name: Subway CA Kiosk
Build Time-stamp: 2012-06-07_09-20-17
1. Introduction: Subway CA is a mobile application available both on iOS and Android based devices that allows customers to build and order food menu items that can be paid for through the application using a payment card such as a debit or credit card.
2. Vulnerability Description: The application stores sensitive data insecurely to cache files located within ../Caches/com.ZippyYum.SubwayOC/ directory on the device.
Loading Cache.db and/or Cache.db-wal in a tool that can read sqlite
databases (such as RazorSQL) will allow a malicious user to read
unencrypted sensitive data stored in clear-text.
Sensitive data elements found within Cache.db and Cache.db-wal:
- password and encryptionKey for the application/user account
- longitude (of device)
- latitude (of device)
3. Vulnerability History:
May 9, 2013: Vulnerability identification
May 15, 2013: Unofficial vendor notification
August 4, 2013: Official vendor notification via report
September 20, 2013: Vulnerability remediation notification*
December 7, 2013: Vulnerability disclosure
*Current Version: 3.7.1 (Tested: only customerName, customerEmail,
customerPhone, location, paymentCardType are in clear-text within
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/