or Connect
AppleInsider › Forums › Mobile › iPhone › Following security controversy, Starbucks patches iOS app with new 'safeguards'
New Posts  All Forums:Forum Nav:

Following security controversy, Starbucks patches iOS app with new 'safeguards'

post #1 of 25
Thread Starter 
Starbucks on Friday quickly responded to criticism after it was discovered that its iOS payment app does not encrypt users' login information, with a new update that promises additional "safeguards" for customers.

Starbucks


It's unclear whether Starbucks version 2.6.2 completely addresses the security issues that gained attention this week. But the coffee chain's CIO did promise on Thursday that an update coming "soon" would ensure that usernames and passwords were no longer stored as plain text.

The release notes for Friday's update simply state that the latest version includes "additional performance enhancements and safeguards."

Starbucks has been under attack since security researcher Daniel Wood publicly disclosed the vulnerability, which requires an attacker to have physical access to the device. Wood reportedly contacted Starbucks to report the flaw last November, and said he opted to go public after the company failed to fix the issue.

The app relies on a log file from Twitter-owned crash reporting analytics firm named Crashlytics. That log file can reportedly be retrieved from a user's handset if someone gains physical access to the iPhone, even if it is secured with a PIN lock, and the file is said to contain unencrypted versions of the customer's username, email address and password.
post #2 of 25
If the fix was that easy, why didn't they do this the moment they were informed?
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
post #3 of 25
Sounds like there's no way for a massive database of sensitive info to get stolen... for someone to take advantage, they'd literally have to be a thief, a hacker, know of the Starbucks issue, and know you use the Starbucks app. The notorious Starbucks App Hacker Thief! I hope they're concerned over all other apps on the app store, too.
post #4 of 25
Quote:
Originally Posted by Benjamin Frost View Post

Quote:
Originally Posted by PhilBoogie View Post

If the fix was that easy, why didn't they do this the moment they were informed?

Wanted to thumbs up you, but 'I'm over my limit for rating content. Please try again later.'

That's...weird. On the desktop, if I turn off Java, I get this error:



On the iPhone, if I turn off Java, I get this error:



You could try to delete the history of this site:
/Settings/Safari/Advanced/Website Data and wipe ai.com

Sometimes logging out and back in helps, though I prefer to simply blame Huddler for all unexpected HTML stuff over here. Huddler. Why do a proper job when we are so good at doing a rim job.
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
post #5 of 25
Who the hell is going to go out of their way to gain access to a phone, bother downloading the file to gain access to some log in details so they can get their hands on a small pre-paid account that can only buy them some crap coffee and cake? 1rolleyes.gif

I can see why Starbucks didn't bother until they were pushed.
post #6 of 25

Great! Now all they need to do is make good coffee and not charge $10,000 for a small. 

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply

Mac Mini (Mid 2011) 2.5 GHz Core i5

120 GB SSD/500 GB HD/8 GB RAM

AMD Radeon HD 6630M 256 MB

Reply
post #7 of 25
Quote:
Originally Posted by PhilBoogie View Post

If the fix was that easy, why didn't they do this the moment they were informed?

Well it is complicated for them, they had to decide between a tall fix, grande fix and a venti fix. 1biggrin.gif
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
"Google doesn't sell you anything, they just sell you!"
Reply
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
"Google doesn't sell you anything, they just sell you!"
Reply
post #8 of 25
Quote:
Originally Posted by digitalclips View Post

Quote:
Originally Posted by PhilBoogie View Post

If the fix was that easy, why didn't they do this the moment they were informed?

Well it is complicated for them, they had to decide between a tall fix, grande fix and a venti fix. 1biggrin.gif

My, aren't you in a good mood this morning!

Cheers!
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
post #9 of 25
Quote:
Originally Posted by PhilBoogie View Post

If the fix was that easy, why didn't they do this the moment they were informed?

Uh, because it takes Apple a few days to approve the release? 5-7 days if it's not expedited.
post #10 of 25
Quote:
Originally Posted by jkichline View Post

Quote:
Originally Posted by PhilBoogie View Post

If the fix was that easy, why didn't they do this the moment they were informed?

Uh, because it takes Apple a few days to approve the release? 5-7 days if it's not expedited.

They knew since November:

http://appleinsider.com/articles/14/01/16/starbucks-ios-app-found-to-store-user-credentials-in-plain-text
Quote:
Security researcher Daniel Wood publicly disclosed the vulnerability, which would require an attacker to have physical access to the device, on Monday. Wood told Computerworld that he first contacted Starbucks to report the flaw last November and only went public after the company failed to act.
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
post #11 of 25
Quote:
Originally Posted by Benjamin Frost View Post

Wanted to thumbs up you, but 'I'm over my limit for rating content. Please try again later.'

There's a thread for Duddler issues.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #12 of 25
Quote:
Originally Posted by Evilution View Post

Who the hell is going to go out of their way to gain access to a phone, bother downloading the file to gain access to some log in details so they can get their hands on a small pre-paid account that can only buy them some crap coffee and cake? 1rolleyes.gif

I can see why Starbucks didn't bother until they were pushed.

It's MY coffee and cake. How dare anyone steal it. This is an outrage.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #13 of 25
Quote:
Originally Posted by Suddenly Newton View Post


It's MY coffee and cake. How dare anyone steal it. This is an outrage.

Well they already stole your phone by this time -- why not let them slide on the coffee and cake and just focus on what's important? :D

post #14 of 25

On a more serious note, I don't understand how they missed this to begin with.  Apple provides the keychain for storing exactly this kind of sensitive data.  It's not a super easy API to use, but there are plenty of wrappers out there and it's certainly something that shouldn't take more than a few hours to get working. I've implemented it myself in a few apps, so I'm familiar with how long it would take to do.  A bigger project like the Starbucks app would certainly have the cycles to do this.

post #15 of 25
Quote:
Originally Posted by Evilution View Post

Who the hell is going to go out of their way to gain access to a phone, bother downloading the file to gain access to some log in details so they can get their hands on a small pre-paid account that can only buy them some crap coffee and cake? 1rolleyes.gif

I can see why Starbucks didn't bother until they were pushed.

If your username and password are stored in clear text why are we assuming it's all being encrypted over the network? People that frequent Starbucks often use their public, unsecured WiFI. Any number of apps could grab this data. Starbucks has a very robust system of adding money and gift cards to cards online. You can even send money to others as a gift right from your Starbucks card or see a lot more private information online with the credentials sent in cleartext. If you use the same password for everything you open that up to a lot of other issues.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #16 of 25
Quote:
Originally Posted by SolipsismX View Post


If your username and password are stored in clear text why are we assuming it's all being encrypted over the network? People that frequent Starbucks often use their public, unsecured WiFI. Any number of apps could grab this data. Starbucks has a very robust system of adding money and gift cards to cards online. You can even send money to others as a gift right from your Starbucks card or see a lot more private information online with the credentials sent in cleartext. If you use the same password for everything you open that up to a lot of other issues.

Presumably if Starbucks wasn't using encryption for the network connection, we would've heard about this already as well since the app was under scrutiny by a security researcher. Also it's likely that the team that works on the network side of thing is completely different than the team that worked on the iOS app. If the servers already required encryption on their end, the iOS app would've had to use it.

 

Most likely, whoever developed the iOS app just wasn't aware of what Apple provides to save passwords.  My guess is that there are possibly lots of apps storing credentials in an insecure manner and they just don't have the high profile of a Starbucks, so they've gone unnoticed.

 

That said, that's still no excuse for not using something besides storing the credentials in cleartext.  

post #17 of 25
Quote:
Originally Posted by Benjamin Frost View Post
 
Quote:
Originally Posted by PhilBoogie View Post

If the fix was that easy, why didn't they do this the moment they were informed?

Wanted to thumbs up you, but 'I'm over my limit for rating content. Please try again later.'

AI's website has become an unfortunate mess.

post #18 of 25
Quote:
Originally Posted by anantksundaram View Post

AI's website has become an unfortunate mess.

Ironic, isn't it? Reporting on a company that puts so much effort in getting the details right, yet here we are: the only value come from the posters through some obscure designed website that out to be...

Never mind.
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
post #19 of 25

Exactly, SmileyDude! I was able to implement the keychain for an app with about 10 lines of code using a wrapper.

 

Just goes to show you, there's a lot of people out there that don't know what they're doing.

 

What most people are missing is that Crashlytics is a crash reporting system. The crash reports were not only on the devices, they get shipped to Crashlytics for collection and analysis. I wouldn't be surprised to find out that it was a last minute addition to a release and wasn't well thought out. That's usually how this stuff happens.

post #20 of 25
Quote:
Originally Posted by Evilution View Post

Who the hell is going to go out of their way to gain access to a phone, bother downloading the file to gain access to some log in details so they can get their hands on a small pre-paid account that can only buy them some crap coffee and cake? 1rolleyes.gif
 

Someone who wants to try out the email address and password they stole on other services where the combo might work maybe?

MacBook Pro 17" early-2011 with 8GB RAM, , Apple TV 3rd Gen, iPhone 6 Plus 128GB Space Grey
Reply
MacBook Pro 17" early-2011 with 8GB RAM, , Apple TV 3rd Gen, iPhone 6 Plus 128GB Space Grey
Reply
post #21 of 25
Quote:
Originally Posted by SmileyDude View Post
That said, that's still no excuse for not using something besides storing the credentials in cleartext.  

That is the crux of this whole matter.  Apparently there are people at companies big and small who either are incapable of, or don't care about securing our information.  This won't change until there are laws to force a certain minimal level of protections.  I think we have reached the point in the development of software, computer systems and the Internet that anyone who does not take security seriously is negligent.

post #22 of 25
Quote:
Originally Posted by PhilBoogie View Post

That's...weird. On the desktop, if I turn off Java, I get this error:



On the iPhone, if I turn off Java, I get this error:



You could try to delete the history of this site:
/Settings/Safari/Advanced/Website Data and wipe ai.com

Sometimes logging out and back in helps, though I prefer to simply blame Huddler for all unexpected HTML stuff over here. Huddler. Why do a proper job when we are so good at doing a rim job.

I think you're using Safari in your example; I'm using the iPhone app. I've tried your troubleshooting to no avail. I guess that there is a limit to how many thumbs-up one can give in a day, which seems pretty bizarre; why?
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
post #23 of 25
Quote:
Originally Posted by PhilBoogie View Post

My, aren't you in a good mood this morning!

Cheers!

He he ... I have been in a pretty good mood for a while. Something to do with almost frosty days (anything below 40°F is frosty to me these days) , brilliant blue skies and sunshine ... oh and a new Mac pro ... 1biggrin.gif
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
"Google doesn't sell you anything, they just sell you!"
Reply
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
"Google doesn't sell you anything, they just sell you!"
Reply
post #24 of 25
Quote:
Originally Posted by Benjamin Frost View Post

I think you're using Safari in your example; I'm using the iPhone app. I've tried your troubleshooting to no avail. I guess that there is a limit to how many thumbs-up one can give in a day, which seems pretty bizarre; why?

I've tried everything on my iPhone, but can't replicate your issue. You could of course turn to Huddler.com with the issue, but experiencing their expertise, or lack thereof, I don't think they'll be alb to understand the problem, let alone being able to fix it.
Quote:
Originally Posted by digitalclips View Post


He he ... I have been in a pretty good mood for a while. Something to do with almost frosty days (anything below 40°F is frosty to me these days) , brilliant blue skies and sunshine ... oh and a new Mac pro ... 1biggrin.gif

I think after getting rid of a MP and using a MBP for several years the arrival of a new MP will make anyone one warm and fuzzy. Blue skies or not.
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
post #25 of 25
Quote:
Originally Posted by Benjamin Frost View Post

I think you're using Safari in your example; I'm using the iPhone app. I've tried your troubleshooting to no avail. I guess that there is a limit to how many thumbs-up one can give in a day, which seems pretty bizarre; why?

I've tried everything on my iPhone, but can't replicate your issue. You could of course turn to Huddler.com with the issue, but experiencing their expertise, or lack thereof, I don't think they'll be alb to understand the problem, let alone being able to fix it.
Quote:
Originally Posted by digitalclips View Post


He he ... I have been in a pretty good mood for a while. Something to do with almost frosty days (anything below 40°F is frosty to me these days) , brilliant blue skies and sunshine ... oh and a new Mac pro ... 1biggrin.gif

I think after getting rid of a MP and using a MBP for several years the arrival of a new MP will make anyone one warm and fuzzy. Blue skies or not.
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Following security controversy, Starbucks patches iOS app with new 'safeguards'
AppleInsider › Forums › Mobile › iPhone › Following security controversy, Starbucks patches iOS app with new 'safeguards'