Starbucks in hot water; security on its iOS app not worth a hill of beans
It is a 'Tall' mistake for Starbucks. The information could have come tumbling out of any iPhone connected to a PC. The handset does not need to be jailbroken. Starbucks apparently decided to make its app fast for users by requiring that usernames and passwords be entered just once when using the app. After than initial entry, every time you use the Starbucks app to make a purchase, the username and email fields are already filled. The only time you need your password is when adding money to your account.
A pair of executives, Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman, admitted to knowing that the data was being stored in clear text. Brotman says that this is no longer an issue because the caffeine pusher has security in place. The executive says that "usernames and passwords are safe," thanks to "extra layers of security." Two hours later, a test by security expert Daniel Wood revealed that the information was still in clear text. This time though, a geolocation history file was found, detailing the longitude and latitude of the researcher each time he used the store locator on the app. Wood is the gentleman who discovered the security breach in the first place.
A thief would need only 30 minutes with your iPhone to steal your personal data from the Stabucks app, and your PIN number means nothing. If you opt for the auto-replenish feature, your bank account information could be at risk. Gartner security analyst Avivah Litan says of the Starbucks app, "They can come up with any rationale that they want to, it's just bad security practice. You don't store passwords in the clear. Ever."
Wood posted the information about Starbuck's use of unencrypted data on a website after unsuccessfully trying to interest the company in his research. This is exactly what happened to messaging app Snapchat after a security firm tried to contact it about exploits on its app. The security firm eventually published the exploits in a tweet which led to a massive leak of usernames and phone numbers (last two digits redacted) for 4.6 million Snapchat users. Let these two incidents be a warning to corporations that when a security firm is trying to get your attention about a major security breach on your app, it pays to at least give them the courtesy of listening to what they have to say.
source: Seclists.org, ComputerWorld via MacRumors
1. danishnigz (Posts: 5; Member since: 31 Aug 2013)
That level of puns in the first half of the article xD
2. elitewolverine (Posts: 1364; Member since: 28 Oct 2013)
So a security company can breach the security of the app and not be held accountable? Makes little sense to me.
Also the auto reload only happens once a day, so unless you are going to overload on coffee since they dont have access to the bank info as that is blanked out to my knowledge, what can they get? Access to coupons? I guess. Then again people routinely use the same password email combos so that is a huge mistake/potential.
But it did say that they need the iphone in the first place right? Meaning a stolen phone...
3. Ant34 (Posts: 193; Member since: 10 Aug 2013)
Why should someone be held accountable for breaching the security of an app on their mobile device?
4. elitewolverine (Posts: 1364; Member since: 28 Oct 2013)
What? You have not read the terms of agreement I suppose. Most people don't, only the courts see those.
(a) any resale or commercial use of the Sites or Site Materials; (b) the collection and use of any product listings, pictures or descriptions; (c) the distribution, public performance or public display of any Site Materials; (d) modifying or otherwise making any derivative uses of the Sites and the Site Materials, or any portion thereof; (e) use of any data mining, robots or similar data gathering or extraction methods; (f) downloading (other than the page caching) of any portion of the Sites, the Site Materials or any information contained therein, except as expressly permitted on the Sites; or (g) any use of the Sites or the Site Materials other than for its intended purpose. Any use of the Sites or Site Materials other than as specifically authorized herein, without the prior written permission of Starbucks, is strictly prohibited and will terminate the license granted herein.