Following security controversy, Starbucks patches iOS app with new 'safeguards'

Posted:
in iPhone edited January 2014
Starbucks on Friday quickly responded to criticism after it was discovered that its iOS payment app does not encrypt users' login information, with a new update that promises additional "safeguards" for customers.

Starbucks


It's unclear whether Starbucks version 2.6.2 completely addresses the security issues that gained attention this week. But the coffee chain's CIO did promise on Thursday that an update coming "soon" would ensure that usernames and passwords were no longer stored as plain text.

The release notes for Friday's update simply state that the latest version includes "additional performance enhancements and safeguards."

Starbucks has been under attack since security researcher Daniel Wood publicly disclosed the vulnerability, which requires an attacker to have physical access to the device. Wood reportedly contacted Starbucks to report the flaw last November, and said he opted to go public after the company failed to fix the issue.

The app relies on a log file from Twitter-owned crash reporting analytics firm named Crashlytics. That log file can reportedly be retrieved from a user's handset if someone gains physical access to the iPhone, even if it is secured with a PIN lock, and the file is said to contain unencrypted versions of the customer's username, email address and password.
«1

Comments

  • Reply 1 of 25
    philboogiephilboogie Posts: 7,438member
    If the fix was [I]that[/I] easy, why didn't they do this the moment they were informed?
  • Reply 2 of 25
    Sounds like there's no way for a massive database of sensitive info to get stolen... for someone to take advantage, they'd literally have to be a thief, a hacker, know of the Starbucks issue, and know you use the Starbucks app. The notorious Starbucks App Hacker Thief! I hope they're concerned over all other apps on the app store, too.
  • Reply 3 of 25
    philboogie wrote: »
    If the fix was that easy, why didn't they do this the moment they were informed?

    Wanted to thumbs up you, but 'I'm over my limit for rating content. Please try again later.'
  • Reply 4 of 25
    philboogiephilboogie Posts: 7,438member
    philboogie wrote: »
    If the fix was that easy, why didn't they do this the moment they were informed?

    Wanted to thumbs up you, but 'I'm over my limit for rating content. Please try again later.'

    That's...weird. On the desktop, if I turn off Java, I get this error:

    700

    On the iPhone, if I turn off Java, I get this error:

    700

    You could try to delete the history of this site:
    /Settings/Safari/Advanced/Website Data and wipe ai.com

    Sometimes logging out and back in helps, though I prefer to simply blame Huddler for all unexpected HTML stuff over here. Huddler. Why do a proper job when we are so good at doing a rim job.
  • Reply 5 of 25
    evilutionevilution Posts: 1,347member
    Who the hell is going to go out of their way to gain access to a phone, bother downloading the file to gain access to some log in details so they can get their hands on a small pre-paid account that can only buy them some crap coffee and cake? :rolleyes:

    I can see why Starbucks didn't bother until they were pushed.
  • Reply 6 of 25
    macxpressmacxpress Posts: 4,786member

    Great! Now all they need to do is make good coffee and not charge $10,000 for a small. 

  • Reply 7 of 25
    MacProMacPro Posts: 18,141member
    philboogie wrote: »
    If the fix was that easy, why didn't they do this the moment they were informed?

    Well it is complicated for them, they had to decide between a tall fix, grande fix and a venti fix. :D
  • Reply 8 of 25
    philboogiephilboogie Posts: 7,438member
    philboogie wrote: »
    If the fix was that easy, why didn't they do this the moment they were informed?

    Well it is complicated for them, they had to decide between a tall fix, grande fix and a venti fix. :D

    My, aren't you in a good mood this morning!

    Cheers!
  • Reply 9 of 25
    jkichlinejkichline Posts: 1,331member
    philboogie wrote: »
    If the fix was that easy, why didn't they do this the moment they were informed?

    Uh, because it takes Apple a few days to approve the release? 5-7 days if it's not expedited.
  • Reply 10 of 25
    philboogiephilboogie Posts: 7,438member
    jkichline wrote: »
    philboogie wrote: »
    If the fix was that easy, why didn't they do this the moment they were informed?

    Uh, because it takes Apple a few days to approve the release? 5-7 days if it's not expedited.

    They knew since November:

    http://appleinsider.com/articles/14/01/16/starbucks-ios-app-found-to-store-user-credentials-in-plain-text
    Security researcher Daniel Wood publicly disclosed the vulnerability, which would require an attacker to have physical access to the device, on Monday. Wood told Computerworld that he first contacted Starbucks to report the flaw last November and only went public after the company failed to act.
  • Reply 11 of 25
    Wanted to thumbs up you, but 'I'm over my limit for rating content. Please try again later.'

    There's a thread for Duddler issues.
  • Reply 12 of 25
    evilution wrote: »
    Who the hell is going to go out of their way to gain access to a phone, bother downloading the file to gain access to some log in details so they can get their hands on a small pre-paid account that can only buy them some crap coffee and cake? :rolleyes:

    I can see why Starbucks didn't bother until they were pushed.

    It's MY coffee and cake. How dare anyone steal it. This is an outrage.
  • Reply 13 of 25
    Quote:

    Originally Posted by Suddenly Newton View Post





    It's MY coffee and cake. How dare anyone steal it. This is an outrage.

    Well they already stole your phone by this time -- why not let them slide on the coffee and cake and just focus on what's important? :D

  • Reply 14 of 25

    On a more serious note, I don't understand how they missed this to begin with.  Apple provides the keychain for storing exactly this kind of sensitive data.  It's not a super easy API to use, but there are plenty of wrappers out there and it's certainly something that shouldn't take more than a few hours to get working. I've implemented it myself in a few apps, so I'm familiar with how long it would take to do.  A bigger project like the Starbucks app would certainly have the cycles to do this.

  • Reply 15 of 25
    solipsismxsolipsismx Posts: 19,566member
    evilution wrote: »
    Who the hell is going to go out of their way to gain access to a phone, bother downloading the file to gain access to some log in details so they can get their hands on a small pre-paid account that can only buy them some crap coffee and cake? :rolleyes:

    I can see why Starbucks didn't bother until they were pushed.

    If your username and password are stored in clear text why are we assuming it's all being encrypted over the network? People that frequent Starbucks often use their public, unsecured WiFI. Any number of apps could grab this data. Starbucks has a very robust system of adding money and gift cards to cards online. You can even send money to others as a gift right from your Starbucks card or see a lot more private information online with the credentials sent in cleartext. If you use the same password for everything you open that up to a lot of other issues.
  • Reply 16 of 25
    Quote:

    Originally Posted by SolipsismX View Post





    If your username and password are stored in clear text why are we assuming it's all being encrypted over the network? People that frequent Starbucks often use their public, unsecured WiFI. Any number of apps could grab this data. Starbucks has a very robust system of adding money and gift cards to cards online. You can even send money to others as a gift right from your Starbucks card or see a lot more private information online with the credentials sent in cleartext. If you use the same password for everything you open that up to a lot of other issues.

    Presumably if Starbucks wasn't using encryption for the network connection, we would've heard about this already as well since the app was under scrutiny by a security researcher. Also it's likely that the team that works on the network side of thing is completely different than the team that worked on the iOS app. If the servers already required encryption on their end, the iOS app would've had to use it.

     

    Most likely, whoever developed the iOS app just wasn't aware of what Apple provides to save passwords.  My guess is that there are possibly lots of apps storing credentials in an insecure manner and they just don't have the high profile of a Starbucks, so they've gone unnoticed.

     

    That said, that's still no excuse for not using something besides storing the credentials in cleartext.  

  • Reply 17 of 25
    Quote:

    Originally Posted by Benjamin Frost View Post

     
    Quote:

    Originally Posted by PhilBoogie View Post



    If the fix was that easy, why didn't they do this the moment they were informed?




    Wanted to thumbs up you, but 'I'm over my limit for rating content. Please try again later.'

    AI's website has become an unfortunate mess.

  • Reply 18 of 25
    AI's website has become an unfortunate mess.

    Ironic, isn't it? Reporting on a company that puts so much effort in getting the details right, yet here we are: the only value come from the posters through some obscure designed website that out to be...

    Never mind.
  • Reply 19 of 25

    Exactly, SmileyDude! I was able to implement the keychain for an app with about 10 lines of code using a wrapper.

     

    Just goes to show you, there's a lot of people out there that don't know what they're doing.

     

    What most people are missing is that Crashlytics is a crash reporting system. The crash reports were not only on the devices, they get shipped to Crashlytics for collection and analysis. I wouldn't be surprised to find out that it was a last minute addition to a release and wasn't well thought out. That's usually how this stuff happens.

  • Reply 20 of 25
    Quote:
    Originally Posted by Evilution View Post



    Who the hell is going to go out of their way to gain access to a phone, bother downloading the file to gain access to some log in details so they can get their hands on a small pre-paid account that can only buy them some crap coffee and cake? image

     

    Someone who wants to try out the email address and password they stole on other services where the combo might work maybe?

Sign In or Register to comment.