AppleInsider Staff
Starbucks on Friday quickly responded to criticism after it was discovered that its iOS payment app does not encrypt users' login information, with a new update that promises additional "safeguards" for customers.
It's unclear whether Starbucks version 2.6.2 completely addresses the security issues that gained attention this week. But the coffee chain's CIO did promise on Thursday that an update coming "soon" would ensure that usernames and passwords were no longer stored as plain text.
The release notes for Friday's update simply state that the latest version includes "additional performance enhancements and safeguards."
Starbucks has been under attack since security researcher Daniel Wood publicly disclosed the vulnerability, which requires an attacker to have physical access to the device. Wood reportedly contacted Starbucks to report the flaw last November, and said he opted to go public after the company failed to fix the issue.
The app relies on a log file from Twitter-owned crash reporting analytics firm named Crashlytics. That log file can reportedly be retrieved from a user's handset if someone gains physical access to the iPhone, even if it is secured with a PIN lock, and the file is said to contain unencrypted versions of the customer's username, email address and password.
Andrew Orr
Christine McKee
Sponsored Content
Wesley Hilliard
Amber Neely
25 Comments
If the fix was [I]that[/I] easy, why didn't they do this the moment they were informed?
Sounds like there's no way for a massive database of sensitive info to get stolen... for someone to take advantage, they'd literally have to be a thief, a hacker, know of the Starbucks issue, and know you use the Starbucks app. The notorious Starbucks App Hacker Thief! I hope they're concerned over all other apps on the app store, too.
[quote name="PhilBoogie" url="/t/161621/following-security-controversy-starbucks-patches-ios-app-with-new-safeguards/0_100#post_2458889"]If the fix was [I]that[/I] easy, why didn't they do this the moment they were informed?[/quote] Wanted to thumbs up you, but 'I'm over my limit for rating content. Please try again later.'
[quote name="Benjamin Frost" url="/t/161621/following-security-controversy-starbucks-patches-ios-app-with-new-safeguards#post_2458910"][quote name="PhilBoogie" url="/t/161621/following-security-controversy-starbucks-patches-ios-app-with-new-safeguards/0_100#post_2458889"]If the fix was [I]that[/I] easy, why didn't they do this the moment they were informed?[/quote] Wanted to thumbs up you, but 'I'm over my limit for rating content. Please try again later.'[/quote] That's...weird. On the desktop, if I turn off Java, I get this error: [IMG ALT=""]http://forums.appleinsider.com/content/type/61/id/37236/width/350/height/700[/IMG] On the iPhone, if I turn off Java, I get this error: [IMG ALT=""]http://forums.appleinsider.com/content/type/61/id/37428/width/350/height/700[/IMG] You could try to delete the history of this site: /Settings/Safari/Advanced/Website Data and wipe ai.com Sometimes logging out and back in helps, though I prefer to simply blame Huddler for all unexpected HTML stuff over here. [I]Huddler. Why do a proper job when we are so good at doing a rim job. [/I]
Who the hell is going to go out of their way to gain access to a phone, bother downloading the file to gain access to some log in details so they can get their hands on a small pre-paid account that can only buy them some crap coffee and cake? :rolleyes: I can see why Starbucks didn't bother until they were pushed.