theScore Password Exposure

When a new account is created using the Android app, the password is exposed in two local files, one in a world-readable directory.

Here's the app I used:

In the app, register a new account:

The password and other user information appear in this file:

/data/data/com.fivemobile.thescore/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/log-files/crashlytics-userlog-58671C7F0084-0001-1F30-8620D8B6FCF4.temp

They also appear in this file:

/storage/emulated/legacy/Android/data/com.fivemobile.thescore/files/scorelog.2016-12-30.txt

Notification

I notified the developer on 12-30-16:

Posted 12-30-16 by Sam Bowne
Second file added 12-31-16