Subway app's security update leaves a queasy feeling in my stomach

Security researcher Scott Helme asked an interesting question on Twitter earlier today, after he received an email from Subway.

Has the sandwich retailer been hacked?

Scott tweet

Well, maybe it hasn't been hacked (the company hasn't said that it has suffered a security breach, so let's try to assume the worst hasn't happened for once in our lives), but what certainly has happened is that the company has rolled out a new "security upgrade" version of its SUBCARD iOS and Android apps, has locked some users' accounts, and reset passwords.

Subway email

To ensure you have the best experience using SUBCARD®, we have upgraded our security to ensure your account information remains safe and secure. Please ensure that you have downloaded and are using the latest version of the SUBCARD® App available (version 3.4).

As part of this upgrade you may have received an email from SUBCARD® informing you that your account has been locked and your existing password is no longer valid. To continue to use your SUBCARD® account please download the new app now using the links below. It’s quick and easy to do, all you have to do is log out of the old app, download the new one and re-set a new password.

Hmm. Those are the kind of messages you might put out after you have found that your systems have been breached by hackers.

A number of other users of Subway's app expressed their concern on Twitter.

But it's also possible that Subway hasn't been hacked. Maybe they have stumbled across a serious problem with their apps that could potentially be abused by online criminals, and they are taking pre-emptive steps.

Which, all in all, is a good thing. It's just a shame they're not being clearer about what is going on, so minds can be put at rest.

Visiting the app in the iOS App Store, doesn't shed any more light on the matter - as the most recent update is just described as incorporating "minor bug fixes & security improvements", although it does recommend logging out of the app before updating (presumably to ensure that passwords are reset).

Subway iOS app

Finally, if the app update is a regular security update it certainly sounds as if Subway is keen for you to be extremely careful with your password security online, advising users to change their passwords "across all sites you shop with":

At SUBCARD® your online safety is our priority, so we'd also encourage you to take the opportunity to change your details across all sites you shop with, especially for those where you hold the same password details across multiple sites.

Again, that kind of message doesn't inspire confidence that a data breach hasn't happened.

Apparently the current (one assumes flawed) version of the app will not work after September 25th.

You can read more on this page on the Subway website.

The webpage, by the way, is called security.html...

My recommendation? Update the app now, or change your lunch plans.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

7 Responses

  1. JGJones

    August 24, 2015 at 2:22 pm #

    Security update plus need to change a password could be as simple as the fact that Subway was storing passwords in cleartext before and is now using hashing to store passwords and perhaps updated password policy (ie allow for long passwords using any characters?)

    http://plaintextoffenders.com/post/17148439770/subwaycouk-uks-subway-sandwiches-subways

    Just a guess really!

    • Graham Cluley in reply to JGJones.

      August 24, 2015 at 2:24 pm #

      Yes, that's a definite possibility.

      I don't think we should jump to any conclusions that Subway has been hacked. It's possible that they have found that they weren't securing customer data (such as passwords) properly and the security upgrade to the apps fixes that. Although it wouldn't have been ideal that they were doing that in the first place, it's a good thing if they are now fixing it.

      Like I said, it's a shame they're not sharing more information to put minds at rest.

    • Scott Helme in reply to JGJones.

      August 24, 2015 at 9:32 pm #

      If it was something like that though, they could just hash the existing passwords with whatever new process they were adopting and wouldn't need to reset passwords or lock accounts. There is no need to introduce that level of inconvenience to the user. The only reason I can think of to reset passwords and lock them out is if there was some kind of risk of exposure of the current password to prevent someone gaining access to your account. I've reached out to them for comment so will update Graham with any response I get. Hopefully this isn't anything sinister.

  2. Allan Watson

    August 24, 2015 at 9:51 pm #

    It seems to be worded very similarly to the phishing scams that attempt to get people to click on a link to "upgrade" their bank account or Yahoo details. Unless Subway confirms that it is genuine, it should be warning its members very publicly to ignore it.

  3. Anonymous

    August 25, 2015 at 6:06 pm #

    What does their app do? Why do people download it in the first place?

  4. Rachann

    August 25, 2015 at 8:55 pm #

    My card has been hacked and points used/stolen.

  5. Rob

    August 30, 2015 at 11:37 am #

    YES it HAS been hacked. Just look on the darknet marketplace AlphaBay. In the last few months they have sold THOUSANDS of username and passwords for this App. Around £1.30 for accounts with over 1000points. Subway should just admit this – you can still buy accounts!!!

Leave a Reply