CVE-2024-52614
📋 TL;DR
The Kura Sushi Official App for Android versions before 3.8.5 contains a hard-coded cryptographic key vulnerability. This allows local attackers to potentially extract login credentials stored by the app. Only Android users running vulnerable app versions are affected.
💻 Affected Systems
- Kura Sushi Official App Produced by EPARK
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with physical access to the device could extract stored login IDs and passwords, potentially leading to account compromise and unauthorized access to user accounts.
Likely Case
Malicious apps on the same device could access the hard-coded key and decrypt stored credentials, leading to credential theft.
If Mitigated
With app isolation and proper device security controls, only apps with specific permissions could exploit this vulnerability.
🎯 Exploit Status
Exploitation requires local access to the device or a malicious app with storage access permissions. The hard-coded key can be extracted from the app package.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.8.5
Vendor Advisory: https://jvn.jp/en/jp/JVN16114985/
Restart Required: Yes
Instructions:
1. Open Google Play Store 2. Search for 'Kura Sushi Official App' 3. Update to version 3.8.5 or later 4. Restart the app after update
🔧 Temporary Workarounds
Uninstall vulnerable app
androidRemove the vulnerable app version until update is available
adb uninstall jp.co.kura_corpo
Restrict app permissions
androidLimit app storage access to reduce attack surface
Go to Settings > Apps > Kura Sushi > Permissions > Disable Storage access
🧯 If You Can't Patch
- Isolate the app using Android work profile or secure folder
- Monitor for suspicious activity and change passwords regularly
🔍 How to Verify
Check if Vulnerable:
Check app version in Google Play Store or Settings > Apps > Kura Sushi > App infoCheck Version:
adb shell dumpsys package jp.co.kura_corpo | grep versionNameVerify Fix Applied:
Confirm app version is 3.8.5 or higher in app settings📡 Detection & Monitoring
Log Indicators:
- Unusual app data access patterns
- Multiple failed login attempts
Network Indicators:
- Unexpected credential-related network traffic
SIEM Query:
app:"Kura Sushi" AND version:<3.8.5