製品・ソフトウェアに関する情報

JVN脆弱性詳細

iOS 用 Starbucks アプリケーションにおけるユーザ名などの情報を取得される脆弱性

Title	iOS 用 Starbucks アプリケーションにおけるユーザ名などの情報を取得される脆弱性
Summary	iOS 用 Starbucks アプリケーションは、Crashlytics ログファイル (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog) に平文で重要な情報を格納するため、ユーザ名、パスワード、および電子メールアドレスを取得される脆弱性が存在します。
Possible impacts	攻撃者により、session.clslog を読み取るアプリケーションを介して、ユーザ名、パスワード、および電子メールアドレスを取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Jan. 13, 2014, midnight
Registration Date	Jan. 29, 2014, 4:20 p.m.
Last Update	Jan. 29, 2014, 4:20 p.m.

Affected System

Starbucks Coffee Company

Starbucks 2.6.1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-0647	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0647
National Vulnerability Database (NVD)
2	CVE-2014-0647	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0647

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-255	https://jvndb.jvn.jp/ja/cwe/CWE-255.html

ベンダー情報

No	Name	URL
Apple Store
1	Starbucks	https://itunes.apple.com/us/app/starbucks/id331177714?mt=8
Starbucks Coffee Company
2	Mobile Apps	http://www.starbucks.com/coffeehouse/mobile-apps

その他

No	Name	URL
関連文書
1	Re: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application	http://seclists.org/fulldisclosure/2014/Jan/123
2	Starbucks fixes iOS app bugs	http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/
3	Starbucks session.clslog information disclosure	http://xforce.iss.net/xforce/xfdb/90412
4	The Starbucks bug: not as awful as reported	http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/

Change Log

No	Changed Details	Date of change
0	[2014年01月29日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2014-0647

Summary	The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog.
Publication Date	Jan. 28, 2014, 9:55 a.m.
Registration Date	Jan. 26, 2021, 3:05 p.m.
Last Update	Nov. 21, 2024, 11:02 a.m.

Affected software configurations

Related information, measures and tools

No	URL	refsource	タグ
1	http://seclists.org/fulldisclosure/2014/Jan/123
2	http://seclists.org/fulldisclosure/2014/Jan/123
3	http://seclists.org/fulldisclosure/2014/Jan/64
4	http://seclists.org/fulldisclosure/2014/Jan/64
5	http://www.osvdb.org/102514
6	http://www.osvdb.org/102514
7	http://www.securityfocus.com/archive/1/530756/100/0/threaded
8	http://www.securityfocus.com/archive/1/530756/100/0/threaded
9	http://www.securityfocus.com/bid/64942
10	http://www.securityfocus.com/bid/64942
11	http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/
12	http://www.zdnet.com/starbucks-fixes-ios-app-bugs-7000025323/
13	http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/
14	http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/
15	https://exchange.xforce.ibmcloud.com/vulnerabilities/90412
16	https://exchange.xforce.ibmcloud.com/vulnerabilities/90412
17	https://itunes.apple.com/us/app/starbucks/id331177714?mt=8
18	https://itunes.apple.com/us/app/starbucks/id331177714?mt=8

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-255	証明書・パスワード管理	https://cwe.mitre.org/data/definitions/255.html