Re: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application

[Daniel Wood <daniel.wood () owasp org>]

I would like to point out that the statements made in the emails from mikken.tutton () intersecworldwide com are untrue 
at best, defamatory at worst.  I am not going to lambast Jeff, Mikken, or Intersec Worldwide - but I will defend 
myself.  Normally I would not respond to something like this in a public forum, however, Intersec Worldwide has forced 
my hand due to their untrue statements.

I never signed a Non-Disclosure Agreement with Intersec Worldwide when I started my contracting work for them.  Now 
that’s not to say I am going to start publishing all the vulnerabilities of their clients, far from it.  I am stating 
this because prior to this email going out, I was called by Jeff Tutton the ‘CISO’ about the matter.  We talked briefly 
for about 10 minutes on Wednesday, December 11, 2013.  During this phone call I mentioned the fact that no NDA had been 
signed.  He said he would look into this and work with his client on the matter regarding the vulnerability disclosure. 
 I never heard back from him or anyone at Intersec Worldwide after this.  
 
I emailed Jeff/Intersec this morning when I saw Fyodor’s post and Mikken’s/Intersec email alleging I violated their 
NDA.  I gave Jeff/Intersec until EOB today to provide the original email with the signed NDA I sent to them, however, I 
have yet to receive this.  I asked for a copy of the allegedly signed NDA last week as well.  Failure to provide a 
legitimate copy of my sent email with a signed NDA proves to me that they forgot to have me sign an NDA.  I should not 
be held liable for a lapse in their own processes.  If they are able to come up with a legitimate copy of the signed 
NDA and email with legitimate email headers - I will gracefully apologize…which won’t occur since I did not sign such a 
document.  In this email, I also informed Jeff that I am terminating my 1099/contractor agreement with Intersec 
Worldwide effective immediately.

Due to the mention of legal action in their email, I have now retained the services of an attorney and will be ready to 
see this matter to a close.  Instead of focusing on the fact that information was disclosed after they had 6+ months to 
fix the vulnerability, they should be focusing on the positive aspect that they were able to fix the vulnerability and 
that it does not affect their product’s current release version.  

- Daniel Wood

On Dec 16, 2013, at 4:50 PM, Fyodor <fyodor () nmap org> wrote:

> On Fri, Dec 6, 2013 at 8:07 PM, Daniel Wood <daniel.wood () owasp org> wrote:
> Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application
>
> Reported to Vendor: May 2013
> CVE Reference: CVE-2013-6986
>
> Apparently you touched a nerve!  If the legal threats we received for archiving this security advisory on 
> SecLists.org are any indication, ZippyYum really doesn't want anyone to know they were storing users' credit card 
> info (including security code) and passwords in cleartext on their phones.
>
> "Please remove this information from your website immediately in order at avoid further legal action." --Mikken 
> Tutton, CEO of ZippyYum client IntersecWorldWide
>
> Of course we have ignored the threats and kept the advisory proudly posted at: 
> http://seclists.org/fulldisclosure/2013/Dec/39
>
> Here are the legal threats we received today and last Wednesday:
>
> ---------- Forwarded message ----------
> From: Mikken Tutton <mikken.tutton () intersecworldwide com>
> Date: Mon, Dec 16, 2013 at 1:33 PM
> Subject: Fwd:
> To: johnc () grok org uk, fyodor () nmap org, hostmaster () insecure org
>
> Dear Webmaster,
>
> We contacted you last week regarding some private information about our client that you have posted on your website, 
> in violation of Non-Disclosure agreements we have in place with our customer Zippy Yum. We are requesting that this 
> information be removed immediately. The information to which I am referring is located on this page of your website: 
> http://seclists.org/fulldisclosure/2013/Dec/39
>
> We would appreciate the courtesy of a response to our email within 48 hours so we can resolve this issue.
>
> If we do not receive a response, we will turn this matter over to our attorney for legal action. Thank you for your 
> prompt attention to this matter.
>
> Sincerely,
>
> Mikken Tutton
> CEO
>
>
> ---------- Forwarded message ----------
> From: Mikken Tutton <mikken.tutton () intersecworldwide com>
> Date: Wed, Dec 11, 2013 at 11:03 AM
> Subject: Re:
> To: fyodor () nmap org
> Cc: johnc () grok org uk
>
> Dear Mr. Lyon,
>
> It has come to my attention that the attached information is posted on your website about one of our clients. 
> However, this information was released to you with out authorization and is protected by the Non-Disclosure 
> Agreements we have in place, both with our client and also with the contractor who submitted the information to your 
> website in violation of said NDA.
>
> Please remove this information from your website immediately in order at avoid further legal action. Attached is a 
> screen shot of the client information I am referring to. Please advise if you have any questions.
>
> We appreciate your prompt attention to this matter.
>
> Thank you.
>
>
> Sincerely,
>
> Mikken Tutton
> CEO
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/