Full Disclosure mailing list archives
Re: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application
From: William Scott Lockwood III <scott () guppylog com>
Date: Tue, 17 Dec 2013 06:32:24 -0600
Hilarious. If I were just plain ignoring the PCI DSS, I'd want to hide evidence of it, too. If you really want to ruin their day, report this to VISA. -- W. Scott Lockwood III GWB20090338817 AMST Tech On Dec 17, 2013 3:12 AM, "Fyodor" <fyodor () nmap org> wrote:
On Fri, Dec 6, 2013 at 8:07 PM, Daniel Wood <daniel.wood () owasp org> wrote:Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application Reported to Vendor: May 2013 CVE Reference: CVE-2013-6986Apparently you touched a nerve! If the legal threats we received for archiving this security advisory on SecLists.org are any indication, ZippyYum really doesn't want anyone to know they were storing users' credit card info (including security code) and passwords in cleartext on their phones. "Please remove this information from your website immediately in order at avoid further legal action." --Mikken Tutton, CEO of ZippyYum client IntersecWorldWide Of course we have ignored the threats and kept the advisory proudly posted at: http://seclists.org/fulldisclosure/2013/Dec/39 Here are the legal threats we received today and last Wednesday: ---------- Forwarded message ---------- From: Mikken Tutton <mikken.tutton () intersecworldwide com> Date: Mon, Dec 16, 2013 at 1:33 PM Subject: Fwd: To: johnc () grok org uk, fyodor () nmap org, hostmaster () insecure org Dear Webmaster, We contacted you last week regarding some private information about our client that you have posted on your website, in violation of Non-Disclosure agreements we have in place with our customer Zippy Yum. We are requesting that this information be removed immediately. The information to which I am referring is located on this page of your website: http://seclists.org/fulldisclosure/2013/Dec/39 We would appreciate the courtesy of a response to our email within 48 hours so we can resolve this issue. If we do not receive a response, we will turn this matter over to our attorney for legal action. Thank you for your prompt attention to this matter. Sincerely, Mikken Tutton CEO ---------- Forwarded message ---------- From: Mikken Tutton <mikken.tutton () intersecworldwide com> Date: Wed, Dec 11, 2013 at 11:03 AM Subject: Re: To: fyodor () nmap org Cc: johnc () grok org uk Dear Mr. Lyon, It has come to my attention that the attached information is posted on your website about one of our clients. However, this information was released to you with out authorization and is protected by the Non-Disclosure Agreements we have in place, both with our client and also with the contractor who submitted the information to your website in violation of said NDA. Please remove this information from your website immediately in order at avoid further legal action. Attached is a screen shot of the client information I am referring to. Please advise if you have any questions. We appreciate your prompt attention to this matter. Thank you. Sincerely, Mikken Tutton CEO _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application Daniel Wood (Dec 07)
- Re: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application Fyodor (Dec 17)
- Re: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application William Scott Lockwood III (Dec 17)
- Re: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application coderman (Dec 17)
- Re: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application Daniel Wood (Dec 18)
- Re: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application Fyodor (Dec 17)