Trader Joes Fan Plaintext Data Transmission

Summary

The Trader Joes Fan Android app has a serious security problem--it sends login credentials without encryption.

Testing Method

I have Burp set up as a proxy for my Genymotion Android emulator.

Here's the app:

Sending test credentials:

Harvesting them with Burp:

Notification

I sent this message on 5-20-17:


Posted 5-20-17 by Sam Bowne