Earlier today, I reported that Starbucks iOS app was horrifically insecure and put users of the app at risk in a number of ways. I guess that the negative press was enough that Starbucks via their CIO Curt Garner has come out with a statement saying they’re going to update the app in question:
Your security is incredibly important to us. This week a research report identified theoretical vulnerabilities associated with the Starbucks Mobile App for iOS in the event a customer’s iPhone were to be physically stolen and hacked.
We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.
Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.
We appreciate your business and believe it is our job to earn your trust as a customer. We also know that constant vigilance is the best way to protect you and the information you share with us. If you think your information may have been compromised for any reason, please contact our Customer Care team at 1-800-23-LATTE or at www.starbucks.com/customer.
You’ll note that the only timetable is “soon” and that the company continues to insist that they “have added several safeguards to protect the information you share” with Starbucks. Seeing as the security problem exists on the phone, I don’t see how its possible to make changes that would make any difference on anywhere else other than the phone itself. Thus I consider this statement to be dubious at best. As for the timetable of “soon”, a security issue like this requires an immediate response so that you show that you as a company take security seriously. So if soon means a week or two, that’s likely fine. If it’s a month or to, it’s a #fail.
Starbucks should take note. iOS users of its app will be watching carefully to see how the company delivers. Plus you can sure the new app will be tested by security researchers and hackers everywhere. Thus they only have one chance to get this right. It would be in their best interests not to screw it up.
UPDATE: I looked at my iPhone this morning and found one update available. When I went into the app store I saw this:
As you can see, Starbucks has updated it’s app with “additional performance enhancements and safeguards.” Whatever that means. I’m sure we’ll find out soon enough if it addresses the serious security issues that have generated the company so much bad press. I also have to say that if this does solve this issue, kudos to Starbucks for getting out so quick after not really caring about their customers security for who knows how long.
UPDATE #2: Computerworld is reporting that Daniel Wood who found this issue says he is “almost 100% certain” that the clear-text password problem is gone. He also is now a “security consultant” for Starbucks in an unpaid role.
Related
This entry was posted on January 16, 2014 at 8:16 pm and is filed under Commentary with tags Hacked, Security, Starbucks. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Starbucks Pledges To Fix Their Insecure iOS App [UPDATED x2]
Earlier today, I reported that Starbucks iOS app was horrifically insecure and put users of the app at risk in a number of ways. I guess that the negative press was enough that Starbucks via their CIO Curt Garner has come out with a statement saying they’re going to update the app in question:
Your security is incredibly important to us. This week a research report identified theoretical vulnerabilities associated with the Starbucks Mobile App for iOS in the event a customer’s iPhone were to be physically stolen and hacked.
We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.
Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.
We appreciate your business and believe it is our job to earn your trust as a customer. We also know that constant vigilance is the best way to protect you and the information you share with us. If you think your information may have been compromised for any reason, please contact our Customer Care team at 1-800-23-LATTE or at www.starbucks.com/customer.
You’ll note that the only timetable is “soon” and that the company continues to insist that they “have added several safeguards to protect the information you share” with Starbucks. Seeing as the security problem exists on the phone, I don’t see how its possible to make changes that would make any difference on anywhere else other than the phone itself. Thus I consider this statement to be dubious at best. As for the timetable of “soon”, a security issue like this requires an immediate response so that you show that you as a company take security seriously. So if soon means a week or two, that’s likely fine. If it’s a month or to, it’s a #fail.
Starbucks should take note. iOS users of its app will be watching carefully to see how the company delivers. Plus you can sure the new app will be tested by security researchers and hackers everywhere. Thus they only have one chance to get this right. It would be in their best interests not to screw it up.
UPDATE: I looked at my iPhone this morning and found one update available. When I went into the app store I saw this:
As you can see, Starbucks has updated it’s app with “additional performance enhancements and safeguards.” Whatever that means. I’m sure we’ll find out soon enough if it addresses the serious security issues that have generated the company so much bad press. I also have to say that if this does solve this issue, kudos to Starbucks for getting out so quick after not really caring about their customers security for who knows how long.
UPDATE #2: Computerworld is reporting that Daniel Wood who found this issue says he is “almost 100% certain” that the clear-text password problem is gone. He also is now a “security consultant” for Starbucks in an unpaid role.
Share this:
Like this:
Related
This entry was posted on January 16, 2014 at 8:16 pm and is filed under Commentary with tags Hacked, Security, Starbucks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.