I am a Starbucks addict to the point that I have the Starbucks app for iOS installed on my iPhone 5. But I may have to wean myself off my Starbucks addiction because of this Computerworld article:
The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.
So let’s recap:
- Passwords are stored in clear text meaning that they are not encrypted in any way. This is bad software design and completely unacceptable.
- Usernames are equally accessible.
- There’s a list of places that you’ve visited in the app.
- It doesn’t take whole lot of effort for a evil doer to get access to this info. They could also use your Starbucks account to run up a very big bill.
- Because people tend to reuse passwords and usernames, if someone gets the info related to your Starbucks account, they can get access to other accounts such as banking, Facebook, e-mail, etc.
This can be summed up in one word: #Fail.
If that’s not bad enough, it gets worse:
Two executives — Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman — said in a telephone interview that they have known for an unspecified period of time that the credentials were being stored in clear text. “We were aware,” Brotman said. “That was not something that was news to us.”
The easy visibility of passwords was first discovered by security researcher Daniel Wood, who said he tried contacting Starbucks in mid-November. After repeatedly being transferred to customer service in the course of almost two months, he published some of his research for the security community on Monday (Jan. 13).
So, Starbucks knew about this and didn’t take the security of it’s customers seriously enough to do anything about it. #Epicfail.
Now Starbucks claims that “it has made (vague and unspecified) changes that alleviate the problem.” But Mr. Wood who discovered this issue re-ran his tests and found zero difference. That implies that Starbucks is not being completely honest as the only way I can see them fixing this is by releasing an updated version of their iOS app. Something that they have not done in quite a while.
So, how do you protect yourself? If you have the Starbucks app on your iPhone, someone would need physical access to it for about half an hour to pull this off. Thus keep an eye on your phone. Make sure your phone has a passcode (though the author notes that the passcode can be bypassed) and perhaps add one to the Starbucks app as well. Other than that, there’s not a whole lot you can do.
Meanwhile, I’ll be re-evaluating my use of this app as well as my relationship with Starbucks as their total disregard of common application security practices is just unacceptable.
Related
This entry was posted on January 16, 2014 at 9:49 am and is filed under Commentary with tags Security, Starbucks. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Starbucks App For iOS Stores Passwords In Clear Text… Yikes!
I am a Starbucks addict to the point that I have the Starbucks app for iOS installed on my iPhone 5. But I may have to wean myself off my Starbucks addiction because of this Computerworld article:
The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.
So let’s recap:
This can be summed up in one word: #Fail.
If that’s not bad enough, it gets worse:
Two executives — Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman — said in a telephone interview that they have known for an unspecified period of time that the credentials were being stored in clear text. “We were aware,” Brotman said. “That was not something that was news to us.”
The easy visibility of passwords was first discovered by security researcher Daniel Wood, who said he tried contacting Starbucks in mid-November. After repeatedly being transferred to customer service in the course of almost two months, he published some of his research for the security community on Monday (Jan. 13).
So, Starbucks knew about this and didn’t take the security of it’s customers seriously enough to do anything about it. #Epicfail.
Now Starbucks claims that “it has made (vague and unspecified) changes that alleviate the problem.” But Mr. Wood who discovered this issue re-ran his tests and found zero difference. That implies that Starbucks is not being completely honest as the only way I can see them fixing this is by releasing an updated version of their iOS app. Something that they have not done in quite a while.
So, how do you protect yourself? If you have the Starbucks app on your iPhone, someone would need physical access to it for about half an hour to pull this off. Thus keep an eye on your phone. Make sure your phone has a passcode (though the author notes that the passcode can be bypassed) and perhaps add one to the Starbucks app as well. Other than that, there’s not a whole lot you can do.
Meanwhile, I’ll be re-evaluating my use of this app as well as my relationship with Starbucks as their total disregard of common application security practices is just unacceptable.
Share this:
Like this:
Related
This entry was posted on January 16, 2014 at 9:49 am and is filed under Commentary with tags Security, Starbucks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.