Kura Sushi App Vulnerability Exposes Push Notifications to Interception
AI-generated from multiple sources. Verify before acting on this reporting.
TOKYO — A security flaw in the Kura Sushi Official App has left the mobile application vulnerable to man-in-the-middle attacks, according to findings released Monday by Japanese cybersecurity authorities.
The vulnerability, identified within the app developed by EPG, Inc., stems from improper certificate validation on push notifications. The flaw allows unauthorized parties to potentially intercept or alter messages sent to users, compromising the integrity of the communication channel between the sushi chain's servers and customers' devices.
The issue was disclosed on May 11, 2026, following an assessment by the Japan Computer Emergency Response Team (JPCERT/CC) and the Information-technology Promotion Agency (IPA). Both agencies have flagged the defect as a significant risk to user data security, particularly regarding the transmission of promotional offers, reservation confirmations, and loyalty program updates.
EPG, Inc., the developer responsible for the Kura Sushi Official App, has acknowledged the vulnerability. The company stated that the flaw exists within the logic governing how the app validates digital certificates during the push notification process. Without proper validation, malicious actors could theoretically insert themselves into the communication stream, presenting a fraudulent certificate that the app would accept as legitimate.
Cybersecurity experts warn that such vulnerabilities are common in mobile applications that fail to implement strict certificate pinning or validation protocols. In this instance, the lack of rigorous checks means that an attacker with control over a local network, such as a compromised public Wi-Fi hotspot, could redirect traffic intended for Kura Sushi's servers.
The scope of the potential impact remains under review. While the vulnerability specifically targets push notifications, experts note that these messages often contain links directing users to the main application or external websites. If an attacker successfully intercepts these notifications, they could redirect users to phishing sites designed to steal login credentials or payment information.
Kura Sushi, one of Japan's largest conveyor belt sushi chains, relies heavily on its mobile application for customer engagement. The app is widely used for ordering, payment processing, and managing rewards points. A breach of trust in the application's security could have broader implications for the company's reputation and customer confidence.
As of Monday, EPG, Inc. had not released a specific timeline for a patch to address the certificate validation issue. The company is expected to work with the relevant authorities to develop a fix that ensures all incoming push notifications are properly authenticated.
Users are advised to exercise caution when interacting with push notifications from the app until an update is deployed. Security researchers recommend that users avoid clicking on links within suspicious notifications and ensure their devices are running the latest operating system updates to mitigate potential risks.
The situation remains fluid as authorities monitor the developer's response and assess whether any exploitation of the vulnerability has already occurred. Further details on the technical specifics of the flaw and the extent of any potential data exposure are pending.