Starbucks' iOS app found to store user credentials in plain text [u]
Coffee megachain Starbucks is under fire over their data security practices after it was discovered that the company's iOS payment app does not encrypt customers' login information.
Update: A Starbucks spokesperson told The Verge that a future update to the app will bring a new credential storage method that will no longer expose usernames and passwords as plain text. An earlier release from the company said that the new version would be ready "soon."
Security researcher Daniel Wood publicly disclosed the vulnerability, which would require an attacker to have physical access to the device, on Monday. Wood told Computerworld that he first contacted Starbucks to report the flaw last November and only went public after the company failed to act.
At issue is a log file generated by Twitter-owned crash reporting analytics firm Crashlytics. The log file, which Wood says can be retrieved from a user's handset even if the phone is locked with a PIN, contains unencrypted versions of the customer's username, email address, and password.
Starbucks executives, for their part, acknowledged the vulnerability and said that they have made changes to mitigate the danger.
"We were aware" of the problem, Starbucks' Chief Digital Officer Adam Brotman told Computerworld, before adding that the chain has "adequate security measures in place now" and that "usernames and passwords are safe." Following the statements, Wood reassessed the situation and found that the credentials were still freely available.
While this particular vulnerability is unlikely to cause widespread damage, the publication notes that it does provide an opportunity to remind the public of the dangers of reusing passwords across services. A targeted attack against an individual who uses the same password for both Starbucks and their online banking service, for instance, could yield a significant payday for the attacker and a financial headache for the victim.
Update: A Starbucks spokesperson told The Verge that a future update to the app will bring a new credential storage method that will no longer expose usernames and passwords as plain text. An earlier release from the company said that the new version would be ready "soon."
Security researcher Daniel Wood publicly disclosed the vulnerability, which would require an attacker to have physical access to the device, on Monday. Wood told Computerworld that he first contacted Starbucks to report the flaw last November and only went public after the company failed to act.
At issue is a log file generated by Twitter-owned crash reporting analytics firm Crashlytics. The log file, which Wood says can be retrieved from a user's handset even if the phone is locked with a PIN, contains unencrypted versions of the customer's username, email address, and password.
Starbucks executives, for their part, acknowledged the vulnerability and said that they have made changes to mitigate the danger.
"We were aware" of the problem, Starbucks' Chief Digital Officer Adam Brotman told Computerworld, before adding that the chain has "adequate security measures in place now" and that "usernames and passwords are safe." Following the statements, Wood reassessed the situation and found that the credentials were still freely available.
While this particular vulnerability is unlikely to cause widespread damage, the publication notes that it does provide an opportunity to remind the public of the dangers of reusing passwords across services. A targeted attack against an individual who uses the same password for both Starbucks and their online banking service, for instance, could yield a significant payday for the attacker and a financial headache for the victim.
Comments
Another reason to avoid Starbucks...Shitty coffee and now this. I can brew a better latte than they can for 1/16th the price and I don't have to wait in line with the entitled people.
I guess that is why I still use Cash whenever going to small businesses whenever possible.
I didn't know Starbucks was a small business???
If you have PIN and your phone is locked, isn't the entire device encrypted?
I'm a big fan of Starbucks. I'm there pretty much every morning between 5 and 6am. I get up early but I don't want to make my own coffee at home and I like the (ironic?) social aspect of getting out and about early in the morning just to sitting someplace ignoring everyone around me whilst reading news on my computer. I like to study in public even if I'm not interacting with others. I think I need that visual stimuli as background noise for my brain.
I guess I'm not a connoisseur of coffee since I go to Starbucks but they have something going for them I have rarely found elsewhere: consistency. I can go to any Starbucks and it will taste the same and yet it seems a barista at any other place can't replicate the same experience twice. Consistency is good, especially at 5 in the morning.
I'm not certain but I don't think iExplorer requires you to unlock your phone to get folder access.
Another reason for people to use 1Password.
- https://agilebits.com/onepassword
I'm a big fan of Starbucks. I'm there pretty much every morning between 5 and 6am. I get up early but I don't want to make my own coffee at home and I like the (ironic?) social aspect of getting out and about early in the morning just to sitting someplace ignoring everyone around me whilst reading news on my computer. I like to study in public even if I'm not interacting with others. I think I need that visual stimuli as background noise for my brain.I guess I'm not a connoisseur of coffee since I go to Starbucks but they have something going for them I have rarely found elsewhere: consistency. I can go to any Starbucks and it will taste the same and yet it seems a barista at any other place can't replicate the same experience twice. Consistency is good, especially at 5 in the morning.
I'm not certain but I don't think iExplorer requires you to unlock your phone to get folder access.
So in other words you enjoy consistent shitty over priced coffee...
It appears I must. Are you going to suggest I now use Win8 on a Dell and switch to Android?
StarBucks demonstrates how big business totally ignores the cost to everyone by not having a decent security strategy. It does not take much for a security expert to have reviewed and highlighted the issue and for StarBucks to plan for changes. This is not a brand new app. They clearly have had a long time to fix this but decided it is not important enough.
I use my StarBucks on my iPhone everyday and will stop going to StarBucks shops till end of Feb to show my objections to their complacency to the security of their customers.
I for one thank those who take the time to highlight such issues since clearly the businesses and the government are not taking the issue seriously otherwise.
WTF?!!! I guess the developers who got paid from StarBucks to design this app for iOS also work in Android team ...
It appears I must. Are you going to suggest I now use Win8 on a Dell and switch to Android?
ROFLMAO ... ok, that was funny.
It appears I must. Are you going to suggest I now use Win8 on a Dell and switch to Android?
No...
Another reason for people to use 1Password.
Live and die by 1Pswrd
I make great coffee at home but I completely agree about the non-participatory social aspect. I love reading in busy places.
That, apparently is the 'great' thing about McD's. Their burgers will taste the same in New York as they do in Moscow. I am not sure that is a good thing - in fact I know it isn't, but I get your point re early mornings. Personally I am fast asleep at 5 am but if I was awake it would definitely qualify as a time when 'adjustment' / 'variance' / 'thought' / 'conversation' would all be undesirables.
In my area they are all operated by franchisees.
It seems to me that if your name is so well known that you can franchise all over the country (or world) that you're not a small business. The franchise owner may consider themselves a small business owner (especially by comparison) but just like with McDonald's, Subway, Supercuts, Denny's, 7-Eleven, Hampton Hotels, Pizza Hut, or any other franchise the corporation is quite immense (or at the very least not considered small).
So in other words you enjoy consistent shitty over priced coffee...
I have tried to go to smaller shops, and do myself enjoy Nespresso. But do find it distasteful for you to use this forum as an outlet for your elitist coffee rants.
Starbucks: ‘Security as bad as the coffee.’ Who’d have thunk…
Seriously, after the recent spate of hacks, I have pretty much cut up and thrown away all my store credit cards. Other than for Apple, a couple of trusted credit card companies, my bank, and my brokerage account, I have jettisoned almost everything else.
The state of online security in the US is laughable. (I am guessing it’s somewhat better in the EU, since we do not seem to hear about a lot of companies getting hacked there; moreover, their chip-and-pin system is likely far more secure).
Starbucks is great- gives out better free apps and music all year long then the 12 days of bag of hurt. And I get a free drink after every 10 purchased. What's not to like?
Their coffee-based beverages.
Yet I am still a Gold card member.
"So in other words you enjoy consistent shitty over priced coffee..."
Im not a fan of Starbucks either, but I didn't think there was a need to berate someone else's personal taste.
Everyone is missing something else... Crashlytics is a online crash monitoring tool. So, the crash logs with the user info were probably being transmitted to Crashlytics and stored for later review by a developer (who got access to people's info). That's what Crashlytics (Crash-Analytics) does. Otherwise, if you were just going to do it locally, you could easily write your own crash log.
The sad fact... it only takes about 10 lines of code to store this info into the keychain (which is encrypted). I did it on the last eCommerce iPhone app I worked on. And, the keychain gets backed up and restored on phone restores.
And, furthermore, why does Starbuck's developers need direct access to your user info anyway?