Shane Cole
Coffee megachain Starbucks is under fire over their data security practices after it was discovered that the company's iOS payment app does not encrypt customers' login information.
Update: A Starbucks spokesperson told The Verge that a future update to the app will bring a new credential storage method that will no longer expose usernames and passwords as plain text. An earlier release from the company said that the new version would be ready "soon."
Security researcher Daniel Wood publicly disclosed the vulnerability, which would require an attacker to have physical access to the device, on Monday. Wood told Computerworld that he first contacted Starbucks to report the flaw last November and only went public after the company failed to act.
At issue is a log file generated by Twitter-owned crash reporting analytics firm Crashlytics. The log file, which Wood says can be retrieved from a user's handset even if the phone is locked with a PIN, contains unencrypted versions of the customer's username, email address, and password.
Starbucks executives, for their part, acknowledged the vulnerability and said that they have made changes to mitigate the danger.
"We were aware" of the problem, Starbucks' Chief Digital Officer Adam Brotman told Computerworld, before adding that the chain has "adequate security measures in place now" and that "usernames and passwords are safe." Following the statements, Wood reassessed the situation and found that the credentials were still freely available.
While this particular vulnerability is unlikely to cause widespread damage, the publication notes that it does provide an opportunity to remind the public of the dangers of reusing passwords across services. A targeted attack against an individual who uses the same password for both Starbucks and their online banking service, for instance, could yield a significant payday for the attacker and a financial headache for the victim.
William Gallagher
Malcolm Owen
Amber Neely
Andrew O'Hara
Christine McKee
31 Comments
I guess that is why I still use Cash whenever going to small businesses whenever possible.
Another reason to avoid Starbucks...Shitty coffee and now this. I can brew a better latte than they can for 1/16th the price and I don't have to wait in line with the entitled people.
I guess that is why I still use Cash whenever going to small businesses whenever possible.
I didn't know Starbucks was a small business???
If you have PIN and your phone is locked, isn't the entire device encrypted?
Another reason for people to use 1Password. [LIST] [*] https://agilebits.com/onepassword [/LIST] [quote name="macxpress" url="/t/161607/starbucks-ios-app-found-to-store-user-credentials-in-plain-text#post_2458433"]Another reason to avoid Starbucks...Shitty coffee and now this. I can brew a better latte than they can for 1/16th the price and I don't have to wait in line with the entitled people. [/quote] I'm a big fan of Starbucks. I'm there pretty much every morning between 5 and 6am. I get up early but I don't want to make my own coffee at home and I like the (ironic?) social aspect of getting out and about early in the morning just to sitting someplace ignoring everyone around me whilst reading news on my computer. I like to study in public even if I'm not interacting with others. I think I need that visual stimuli as background noise for my brain. I guess I'm not a connoisseur of coffee since I go to Starbucks but they have something going for them I have rarely found elsewhere: consistency. I can go to any Starbucks and it will taste the same and yet it seems a barista at any other place can't replicate the same experience twice. Consistency is good, especially at 5 in the morning. [quote name="Gustav" url="/t/161607/starbucks-ios-app-found-to-store-user-credentials-in-plain-text#post_2458436"]If you have PIN and your phone is locked, isn't the entire device encrypted? [/quote] I'm not certain but I don't think iExplorer requires you to unlock your phone to get folder access. [LIST] [*] http://www.macroplant.com/iexplorer/ [/LIST]