or Connect
AppleInsider › Forums › Mobile › iPhone › Starbucks' iOS app found to store user credentials in plain text [u]
New Posts  All Forums:Forum Nav:

Starbucks' iOS app found to store user credentials in plain text [u]

post #1 of 31
Thread Starter 
Coffee megachain Starbucks is under fire over their data security practices after it was discovered that the company's iOS payment app does not encrypt customers' login information.

Starbucks


Update: A Starbucks spokesperson told The Verge that a future update to the app will bring a new credential storage method that will no longer expose usernames and passwords as plain text. An earlier release from the company said that the new version would be ready "soon."

Security researcher Daniel Wood publicly disclosed the vulnerability, which would require an attacker to have physical access to the device, on Monday. Wood told Computerworld that he first contacted Starbucks to report the flaw last November and only went public after the company failed to act.

At issue is a log file generated by Twitter-owned crash reporting analytics firm Crashlytics. The log file, which Wood says can be retrieved from a user's handset even if the phone is locked with a PIN, contains unencrypted versions of the customer's username, email address, and password.

Starbucks executives, for their part, acknowledged the vulnerability and said that they have made changes to mitigate the danger.

"We were aware" of the problem, Starbucks' Chief Digital Officer Adam Brotman told Computerworld, before adding that the chain has "adequate security measures in place now" and that "usernames and passwords are safe." Following the statements, Wood reassessed the situation and found that the credentials were still freely available.

While this particular vulnerability is unlikely to cause widespread damage, the publication notes that it does provide an opportunity to remind the public of the dangers of reusing passwords across services. A targeted attack against an individual who uses the same password for both Starbucks and their online banking service, for instance, could yield a significant payday for the attacker and a financial headache for the victim.
post #2 of 31
I guess that is why I still use Cash whenever going to small businesses whenever possible.

Mac Pro Dual 2.8 Quad (2nd gen), 14G Ram, Two DVD-RW Drives, OS X 10.9
Mac Book Pro Core 2 Duo 2.16Ghz, SuperDrive, ATI X1600, 2GB RAM, OS X 10.7
1TB Time Capsule

Reply

Mac Pro Dual 2.8 Quad (2nd gen), 14G Ram, Two DVD-RW Drives, OS X 10.9
Mac Book Pro Core 2 Duo 2.16Ghz, SuperDrive, ATI X1600, 2GB RAM, OS X 10.7
1TB Time Capsule

Reply
post #3 of 31

Another reason to avoid Starbucks...Shitty coffee and now this. I can brew a better latte than they can for 1/16th the price and I don't have to wait in line with the entitled people. 

post #4 of 31
Quote:
Originally Posted by satcomer View Post

I guess that is why I still use Cash whenever going to small businesses whenever possible.

 

I didn't know Starbucks was a small business???

post #5 of 31

If you have PIN and your phone is locked, isn't the entire device encrypted?

post #6 of 31
Another reason for people to use 1Password.


Quote:
Originally Posted by macxpress View Post

Another reason to avoid Starbucks...Shitty coffee and now this. I can brew a better latte than they can for 1/16th the price and I don't have to wait in line with the entitled people. 

I'm a big fan of Starbucks. I'm there pretty much every morning between 5 and 6am. I get up early but I don't want to make my own coffee at home and I like the (ironic?) social aspect of getting out and about early in the morning just to sitting someplace ignoring everyone around me whilst reading news on my computer. I like to study in public even if I'm not interacting with others. I think I need that visual stimuli as background noise for my brain.

I guess I'm not a connoisseur of coffee since I go to Starbucks but they have something going for them I have rarely found elsewhere: consistency. I can go to any Starbucks and it will taste the same and yet it seems a barista at any other place can't replicate the same experience twice. Consistency is good, especially at 5 in the morning.

Quote:
Originally Posted by Gustav View Post

If you have PIN and your phone is locked, isn't the entire device encrypted?

I'm not certain but I don't think iExplorer requires you to unlock your phone to get folder access.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #7 of 31
Quote:
Originally Posted by SolipsismX View Post

Another reason for people to use 1Password.
  I'm a big fan of Starbucks. I'm there pretty much every morning between 5 and 6am. I get up early but I don't want to make my own coffee at home and I like the (ironic?) social aspect of getting out and about early in the morning just to sitting someplace ignoring everyone around me whilst reading news on my computer. I like to study in public even if I'm not interacting with others. I think I need that visual stimuli as background noise for my brain.

I guess I'm not a connoisseur of coffee since I go to Starbucks but they have something going for them I have rarely found elsewhere: consistency. I can go to any Starbucks and it will taste the same and yet it seems a barista at any other place can't replicate the same experience twice. Consistency is good, especially at 5 in the morning.
I'm not certain but I don't think iExplorer requires you to unlock your phone to get folder access.
 

 

So in other words you enjoy consistent shitty over priced coffee...

post #8 of 31
Quote:
Originally Posted by macxpress View Post

So in other words you enjoy consistent shitty over priced coffee...

It appears I must. Are you going to suggest I now use Win8 on a Dell and switch to Android? 1hmm.gif

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #9 of 31

StarBucks demonstrates how big business totally ignores the cost to everyone by not having a decent security strategy.  It does not take much for a security expert to have reviewed and highlighted the issue and for StarBucks to plan for changes.  This is not a brand new app.  They clearly have had a long time to fix this but decided it is not important enough.

 

I use my StarBucks on my iPhone everyday and will stop going to StarBucks shops till end of Feb to show my objections to their complacency to the security of their customers.

 

I for one thank those who take the time to highlight such issues since clearly the businesses and the government are not taking the issue seriously otherwise.

post #10 of 31

WTF?!!! I guess the developers who got paid from StarBucks to design this app for iOS also work in Android team ...

....the lack of properly optimized apps is one of the reasons "why the experience on Android tablets is so crappy".

Tim Cook ~ The Wall Street Journal - February 7, 2014

Inside Google! 

Reply

....the lack of properly optimized apps is one of the reasons "why the experience on Android tablets is so crappy".

Tim Cook ~ The Wall Street Journal - February 7, 2014

Inside Google! 

Reply
post #11 of 31
Quote:
Originally Posted by SolipsismX View Post


It appears I must. Are you going to suggest I now use Win8 on a Dell and switch to Android? 1hmm.gif

ROFLMAO ... ok, that was funny. ;)

....the lack of properly optimized apps is one of the reasons "why the experience on Android tablets is so crappy".

Tim Cook ~ The Wall Street Journal - February 7, 2014

Inside Google! 

Reply

....the lack of properly optimized apps is one of the reasons "why the experience on Android tablets is so crappy".

Tim Cook ~ The Wall Street Journal - February 7, 2014

Inside Google! 

Reply
post #12 of 31
Quote:
Originally Posted by SolipsismX View Post


It appears I must. Are you going to suggest I now use Win8 on a Dell and switch to Android? 1hmm.gif

 

No...

post #13 of 31
Quote:
Originally Posted by SolipsismX View Post

Another reason for people to use 1Password.
 

 

Live and die by 1Pswrd

 

I'm there pretty much every morning between 5 and 6am. I get up early but I don't want to make my own coffee at home and I like the (ironic?) social aspect of getting out and about early in the morning just to sitting someplace ignoring everyone around me whilst reading news on my computer. I like to study in public even if I'm not interacting with others. I think I need that visual stimuli as background noise for my brain.

 

I make great coffee at home but I completely agree about the non-participatory social aspect. I love reading in busy places.

 

I guess I'm not a connoisseur of coffee since I go to Starbucks but they have something going for them I have rarely found elsewhere: consistency.

 

That, apparently is the 'great' thing about McD's. Their burgers will taste the same in New York as they do in Moscow. I am not sure that is a good thing - in fact I know it isn't, but I get your point re early mornings. Personally I am fast asleep at 5 am but if I was awake it would definitely qualify as a time when 'adjustment' / 'variance' / 'thought' / 'conversation' would all be undesirables.

post #14 of 31
Quote:
Originally Posted by macxpress View Post

I didn't know Starbucks was a small business???

In my area they are all operated by franchisees.

Mac Pro Dual 2.8 Quad (2nd gen), 14G Ram, Two DVD-RW Drives, OS X 10.9
Mac Book Pro Core 2 Duo 2.16Ghz, SuperDrive, ATI X1600, 2GB RAM, OS X 10.7
1TB Time Capsule

Reply

Mac Pro Dual 2.8 Quad (2nd gen), 14G Ram, Two DVD-RW Drives, OS X 10.9
Mac Book Pro Core 2 Duo 2.16Ghz, SuperDrive, ATI X1600, 2GB RAM, OS X 10.7
1TB Time Capsule

Reply
post #15 of 31
Quote:
Originally Posted by satcomer View Post

In my area they are all operated by franchisees.

It seems to me that if your name is so well known that you can franchise all over the country (or world) that you're not a small business. The franchise owner may consider themselves a small business owner (especially by comparison) but just like with McDonald's, Subway, Supercuts, Denny's, 7-Eleven, Hampton Hotels, Pizza Hut, or any other franchise the corporation is quite immense (or at the very least not considered small).

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #16 of 31
Quote:
Originally Posted by macxpress View Post
 

 

So in other words you enjoy consistent shitty over priced coffee...

 

I have tried to go to smaller shops, and do myself enjoy Nespresso.  But do find it distasteful for you to use this forum as an outlet for your elitist coffee rants.  

post #17 of 31

Starbucks: ‘Security as bad as the coffee.’ Who’d have thunk…

 

Seriously, after the recent spate of hacks, I have pretty much cut up and thrown away all my store credit cards. Other than for Apple, a couple of trusted credit card companies, my bank, and my brokerage account, I have jettisoned almost everything else.

 

The state of online security in the US is laughable. (I am guessing it’s somewhat better in the EU, since we do not seem to hear about a lot of companies getting hacked there; moreover, their chip-and-pin system is likely far more secure).

post #18 of 31
Starbucks is great- gives out better free apps and music all year long then the 12 days of bag of hurt. And I get a free drink after every 10 purchased. What's not to like?
 
Where's the new Apple TV?
Reply
 
Where's the new Apple TV?
Reply
post #19 of 31
Quote:
Originally Posted by pazuzu View Post

Starbucks is great- gives out better free apps and music all year long then the 12 days of bag of hurt. And I get a free drink after every 10 purchased. What's not to like?

 

Their coffee-based beverages.

 

Yet I am still a Gold card member.

post #20 of 31
macxpress 01/16/2014 10:10 AM wrote in respond to solipsismx

"So in other words you enjoy consistent shitty over priced coffee..."

Im not a fan of Starbucks either, but I didn't think there was a need to berate someone else's personal taste.
post #21 of 31
iExplorer lets you get access even without unlocking the phone.

Everyone is missing something else... Crashlytics is a online crash monitoring tool. So, the crash logs with the user info were probably being transmitted to Crashlytics and stored for later review by a developer (who got access to people's info). That's what Crashlytics (Crash-Analytics) does. Otherwise, if you were just going to do it locally, you could easily write your own crash log.

The sad fact... it only takes about 10 lines of code to store this info into the keychain (which is encrypted). I did it on the last eCommerce iPhone app I worked on. And, the keychain gets backed up and restored on phone restores.

And, furthermore, why does Starbuck's developers need direct access to your user info anyway?
Edited by smaffei - 1/16/14 at 10:16am
post #22 of 31
Quote:
Originally Posted by SolipsismX View Post

I'm a big fan of Starbucks. I'm there pretty much every morning between 5 and 6am. I get up early but I don't want to make my own coffee at home and I like the (ironic?) social aspect of getting out and about early in the morning just to sitting someplace ignoring everyone around me whilst reading news on my computer. I like to study in public even if I'm not interacting with others. I think I need that visual stimuli as background noise for my brain.

I guess I'm not a connoisseur of coffee since I go to Starbucks but they have something going for them I have rarely found elsewhere: consistency. I can go to any Starbucks and it will taste the same and yet it seems a barista at any other place can't replicate the same experience twice. Consistency is good, especially at 5 in the morning.
 

 

The ambiance at Starbucks is nice enough. And for those who like routine, consistency has its merits. Apparently Starbucks also values consistency, as you noted.  The reality is that every coffee is inherently different, grown in a different climate, of a different variety, different soil, with different drying/washing/processing. The way Starbucks achieves consistency is by over roasting their coffee. After all, charcoal always tastes exactly like charcoal. To their credit, they now offer a Blonde product, (lighter roast) in bags, but they don't serve it in their restaurants as far as I know.

 

In my opinion almost all coffee tastes terrible, bitter, acidic, and is definately an aquired taste. That is the primary reason people put so much milk and sugar in their coffee - to mask the bad taste of the black coffee. Super premium coffees naturally have a lot of sweetness and fruit-like nuances and drinking it black is the only way to experience that. Unfortunately Starbucks and most other coffee retailers do not buy super premium beans, so their coffee is almost always bitter tasting. I'm not a big fan of espresso either. There are some very nasty tasting oils in most coffees and when extracted under pressure they tend to be dissolved into the beverage. I've found that a very good way to brew coffee is with a simple Melitta single serve pour over paper filter. You still need to do every other step correctly before hand such as growing, processing, packaging, roasting and grinding, but proper brewing is very important. Large brewing equipment, such as the ones used in Starbucks is not really very good in terms of creating an ideal cup of coffee. I know I'm a bit of a coffee geek, but that is part of my job as a coffee grower.

 

On rare occasion when I go to a coffee retail shop, I always pay in cash as it is a lot easier to tip the server. I never considered downloading the Starbucks app. Of course I almost never go to Starbucks unless someone asks to meet up there. Honestly, I don't use very many apps of any type. I did get my Adobe and Target IDs compromised recently. Very annoying. Digital transactions are becoming quite risky lately.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #23 of 31
"I use my StarBucks on my iPhone everyday and will stop going to StarBucks shops till end of Feb to show my objections to their complacency to the security of their customers."

I'm sure Starbucks will die of embarrassment.
post #24 of 31
From another article on this issue, it was explicitly mentioned that the attacker needs to have physical access to the phone. There is likely a LOT of personal data stored on peoples phones; it occurs to me their Starbucks account will be the lesser of their worries. If you lose your phone, it's a race to iCloud to wipe it!
post #25 of 31
Quote:
Originally Posted by mactoid View Post

From another article on this issue, it was explicitly mentioned that the attacker needs to have physical access to the phone. There is likely a LOT of personal data stored on peoples phones; it occurs to me their Starbucks account will be the lesser of their worries. If you lose your phone, it's a race to iCloud to wipe it!

I seem to recall the problem with remote wipe is that you then lose the ability to track your phone, have it notify you when it comes back online, and have it display a message that could get the phone back to you.

I think this may now be alleviated in iOS 7 with the Find My iPhone requiring your credintitals so it can be activated by a different user, but I'm not certain.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #26 of 31

Yeah, but like I said the articles are only giving half the story.

Crashlytics is a crash reporting tool for developers. It's used to collect and transmit crash information to a developer to potentially fix bugs discovered in the field. So, chances are, people's personal info was transmitted to Crashlytics in the crash reports. And, developers had access users' login information.

Here take a look:

http://try.crashlytics.com

post #27 of 31
Given you need physical access this is a non story.
I wanted dsadsa bit it was taken.
Reply
I wanted dsadsa bit it was taken.
Reply
post #28 of 31
Quote:
Originally Posted by asdasd View Post

Given you need physical access this is a non story.

There is talk that your username and password may have been transmitted in plain text, too.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #29 of 31
Big deal, apps are all sandboxed everyone knows that. Security researchers need to up their game with the iPhone cause it protects again many basic programming incompetences like this one.
post #30 of 31

Reality of outsourcing to do things the cheap way. Most utility app creation is given to low-cost developer companies in far flung countries. Heck, even bigger things like EA & Gameloft games.

And these companies hire newbies & interns, pay them worse than peanuts, and expect them to learn off-the-work without 'wasting' any work hours, coz the client wants an 8-hour daily timesheet & pays almost bare minimum-wage per-hour money, by their own standards.

And guess who gets the lion's share of even this money, the 'managers' of course. One thing I realised here, why managers cant do real development is because they are busy sweet-talking the lowly developers into cheap salaries & benefits for doing the real work.

I am one of these, a one-year work-old developer hired by such a developer 'partnership'. The expectations of the clients - time-wise & effort-wise, and the money they offer in return are way apart. And we fight to get the crumbs from the manager.

Back when I was a fresh graduate out of the university, I hadn't imagined how capitalism works out, in this way.

iMac 21.5" 2.7 GHz (2011), 1TB HDD, 8GB RAM; iPhone 5c 16GB White; iPod Touch 4G 8GB Black; iPod Touch 2G 8GB
Reply
iMac 21.5" 2.7 GHz (2011), 1TB HDD, 8GB RAM; iPhone 5c 16GB White; iPod Touch 4G 8GB Black; iPod Touch 2G 8GB
Reply
post #31 of 31
Quote:
Originally Posted by Rob Bonner View Post
 

 

I have tried to go to smaller shops, and do myself enjoy Nespresso.  But do find it distasteful for you to use this forum as an outlet for your elitist coffee rants.  

 

I think its distasteful to use the word distasteful in a discussion about a coffee company....So I find your post distasteful.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Starbucks' iOS app found to store user credentials in plain text [u]