Misuse of an authentication cookie combined with a path traversal on app.starbucks.com permitted access to restricted data

zlz and rhynorater discovered that by obtaining a valid authentication cookie and then combining that with a path traversal, this allowed access to restricted data. noapearson assisted by providing additional information post discovery. @zlz / @rhynorater / @noapearson — thank you for reporting this vulnerability and for confirming the resolution.