Vulnerabilities > CVE-2014-0647 - Credentials Management vulnerability in Starbucks 2.6.1
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 | |
OS | 1 |
Common Weakness Enumeration (CWE)
Packetstorm
data source | https://packetstormsecurity.com/files/download/124768/starbucks-disclose.txt |
id | PACKETSTORM:124768 |
last seen | 2016-12-05 |
published | 2014-01-14 |
reporter | Daniel E. Wood |
source | https://packetstormsecurity.com/files/124768/Starbucks-2.6.1-Information-Disclosure.html |
title | Starbucks 2.6.1 Information Disclosure |
The Hacker News
id | THN:57BD8DED9C126917CEFA239955EC78DC |
last seen | 2018-01-27 |
modified | 2014-01-20 |
published | 2014-01-16 |
reporter | Sudhir K Bansal |
source | https://thehackernews.com/2014/01/starbucks-ios-app-storing-user.html |
title | Starbucks' iOS app storing user credentials in plain text |
References
- http://seclists.org/fulldisclosure/2014/Jan/123
- http://seclists.org/fulldisclosure/2014/Jan/64
- http://www.osvdb.org/102514
- http://www.securityfocus.com/archive/1/530756/100/0/threaded
- http://www.securityfocus.com/bid/64942
- http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/
- http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90412
- https://itunes.apple.com/us/app/starbucks/id331177714?mt=8