CVE-2023-22362 – The SUSHIRO Android app logs sensitive credenti... (How to Fix)

Q: What is the severity of CVE-2023-22362?

CVE-2023-22362 has a CVSS score of 7.5 (HIGH). The SUSHIRO Android app logs sensitive credential information to device log files, allowing attackers with physical or remote access to the device to potentially steal authentication credentials. This affects users of SUSHIRO apps in multiple Asian regions including Thailand, Hong Kong, Singapore, and Taiwan.

📋 TL;DR

The SUSHIRO Android app logs sensitive credential information to device log files, allowing attackers with physical or remote access to the device to potentially steal authentication credentials. This affects users of SUSHIRO apps in multiple Asian regions including Thailand, Hong Kong, Singapore, and Taiwan.

💻 Affected Systems

Products:

SUSHIRO App for Android

Versions: SUSHIRO Ver.4.0.31, Thailand SUSHIRO Ver.1.0.0, Hong Kong SUSHIRO Ver.3.0.2, Singapore SUSHIRO Ver.2.0.0, Taiwan SUSHIRO Ver.2.0.1

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full access to user accounts, potentially leading to financial fraud, identity theft, or unauthorized purchases using stored payment methods.

🟠

Likely Case

Local attackers or malicious apps with log access steal credentials, compromising user accounts and personal information.

🟢

If Mitigated

With proper app sandboxing and log access restrictions, only privileged system users could access logs, limiting exposure.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to device logs, which typically needs physical access or a malicious app with appropriate permissions. No authentication bypass needed once log access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest version from Google Play Store

Vendor Advisory: https://jvn.jp/en/jp/JVN84642320/

Restart Required: Yes

Instructions:

1. Open Google Play Store 2. Search for SUSHIRO app 3. Check for updates 4. Install latest version 5. Restart the app

🔧 Temporary Workarounds

Disable debug logging

android

Prevent sensitive data from being written to logs by disabling debug logging in the app

Restrict log access

android

Use Android permissions to restrict which apps can read system logs

🧯 If You Can't Patch

Uninstall affected SUSHIRO app versions immediately
Monitor device for suspicious log access attempts and implement app whitelisting

🔍 How to Verify

Check if Vulnerable:

Check app version in Google Play Store or app settings. If version matches affected list, device is vulnerable.

Check Version:

adb shell dumpsys package hk.co.akindo_sushiro.sushiroapp | grep versionName

Verify Fix Applied:

Update app through Google Play Store and verify new version doesn't match affected versions list.

📡 Detection & Monitoring

Log Indicators:

Sensitive strings like passwords, tokens, or credentials in Android logcat output from SUSHIRO app

Network Indicators:

Unusual authentication attempts from new devices using credentials that appeared in logs

SIEM Query:

source="android_logs" app="sushiro" (password OR token OR credential OR auth) NOT noise_terms

📊 Metadata

CVE ID: CVE-2023-22362

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

Published: February 13, 2023

Last Updated: March 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22362, you might also want to check these: