Go Back   MacRumors Forums > News and Article Discussion > iOS Blog Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 16, 2014, 12:42 AM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Starbucks Admits It Stores Unencrypted User Passwords, Location Data in iPhone App




Starbucks has admitted that its mobile payment app for iPhone does not encrypt user passwords and location data, instead storing it in a clear text format, according to a report from Computerworld.
Quote:
The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.
The vulnerability was first discovered by security researcher Daniel Wood, who published his findings online for the security community after repeatedly not having success when attempting to contact Starbucks.

The coffee company tells Computerworld that it has "security measures in place now related to that". However, Wood tells The Verge that anything Starbucks does on its end "would not matter" because the vulnerability lies within the app itself.

Potential criminals would still need to physically have the phone to attain any user information, and the only information available would be user names, passwords and location data, but users of the app who had the "auto replenish" feature on would enable criminals to continually add money to the app to make Starbucks purchases.

Update: Starbucks has issued a statement acknowledging the issue and promising an expedited updated for the company's iOS app.
Quote:
We'd like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.

Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.
Article Link: Starbucks Admits It Stores Unencrypted User Passwords, Location Data in iPhone App
MacRumors is offline   0 Reply With Quote
Old Jan 16, 2014, 12:45 AM   #2
Lionel Messi
macrumors member
 
Join Date: Dec 2013
Location: Barcelona, Spain
Glad I don't have a Starbucks app in my country. Good luck cleaning that up, Starbucks.
Lionel Messi is offline   1 Reply With Quote
Old Jan 16, 2014, 12:45 AM   #3
flash84x
macrumors regular
 
Join Date: Aug 2011
Really? It's not that hard to use the keychain which is built into iOS. Every competent iOS developer knows this.
flash84x is offline   6 Reply With Quote
Old Jan 16, 2014, 12:49 AM   #4
simon48
macrumors 65816
 
simon48's Avatar
 
Join Date: Sep 2010
Really? Just hash or encrypt them, what's the harm in doing so?
simon48 is offline   3 Reply With Quote
Old Jan 16, 2014, 12:49 AM   #5
deadbeef
macrumors newbie
 
Join Date: Jan 2014
If they're storing it unencrypted, how are they transmitting it? Can it be sniffed?
deadbeef is offline   1 Reply With Quote
Old Jan 16, 2014, 12:52 AM   #6
maxwelltech
macrumors 6502
 
Join Date: Dec 2011
Location: Irvine, CA, USA
Good thing I don't have the Starbucks app, but I do use Starbucks' open WiFi quite often, so does that mean that my logon information is stored on their network?
__________________
Hackintosh w/ i7-4770K, 16GB RAM, 2x120GB SSDs, 1TB HDD, GTX 760; MacBook Pro 13 i7 (Mid 2012) w/ 240GB SSD; iPad 4 WiFi 32GB; HTC One 32GB AT&T
maxwelltech is offline   0 Reply With Quote
Old Jan 16, 2014, 01:02 AM   #7
LuigiWeegee
Banned
 
Join Date: Jan 2014
That's so stupid. Did they hire some Java hacker in 7th grade to code this? No, the 7th grader would at the very least use a Caesarian Shift.

----------

Quote:
Originally Posted by maxwelltech View Post
Good thing I don't have the Starbucks app, but I do use Starbucks' open WiFi quite often, so does that mean that my logon information is stored on their network?
If they're sniffing your packets and saving them, yeah. But I doubt it, and chances are anything you're logging into is using HTTPS.

----------

I have a complex passcode set because I'm afraid of this sort of thing. Does that encrypt all the data, or is that just used for the keychain?
LuigiWeegee is offline   0 Reply With Quote
Old Jan 16, 2014, 01:07 AM   #8
bradl
macrumors 68030
 
Join Date: Jun 2008
Quote:
Originally Posted by maxwelltech View Post
Good thing I don't have the Starbucks app, but I do use Starbucks' open WiFi quite often, so does that mean that my logon information is stored on their network?
No. As this was only pertaining to their iOS app, WiFi there shouldn't be a problem. However, it all depends on who is operating the hotspot there (some are still run by ATT, for example).

This was actually posted to the Bugtraq Security mailing list yesterday; I'm on that list. here's a snippet:

Quote:
Title: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application
Published: January 13, 2014
Reported to Vendor: December 2013 (no direct response)
CVE Reference: CVE-2014-0647
Credit: This issue was discovered by Daniel E. Wood
http://www.linkedin.com/in/danielewood

Product: Starbucks iOS mobile application
Version: 2.6.1 (May 02, 2013)
Vendor: Starbucks Coffee Company
URL: https://itunes.apple.com/us/app/starbucks/id331177714

Issue: Username, email address, and password elements are being stored in clear-text in the session.clslog crashlytics log file.
Location: /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog

Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at https://www.starbucks.com/account/signin. It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service.
For someone to effectively sniff this, and do it easily, the person using the app would need to be on Wifi, as well as the malicious user. That way they would be on the same network. They could then use something like Wireshark to sniff the packets of the IP address assigned to the App user, and get the information as it is being submitted (this does assume that the transmission is also going across on an insecure protocol, like HTTP).

Regardless, mitigation is also included:
Quote:
To prevent sensitive user data (credentials) from being recovered by a malicious user, output sanitization should be conducted to prevent these data elements from being stored in the crashlytics log files in clear-text, if at all.
Expect a new version of the App to be released in very short order.

BL.
bradl is offline   1 Reply With Quote
Old Jan 16, 2014, 01:20 AM   #9
macs4nw
macrumors 68020
 
macs4nw's Avatar
 
Join Date: Sep 2010
Location: On Safari…..
After all the brouhaha of late about privacy and security, whoever wrote this App, what were they thinking…..?
__________________
Due to my aversion to bragging and clichés, no words of wisdom to be found on this line.....
macs4nw is offline   1 Reply With Quote
Old Jan 16, 2014, 01:28 AM   #10
goatless
macrumors member
 
Join Date: Oct 2009
Quote:
Originally Posted by bradl View Post
No. As this was only pertaining to their iOS app, WiFi there shouldn't be a problem. However, it all depends on who is operating the hotspot there (some are still run by ATT, for example).

This was actually posted to the Bugtraq Security mailing list yesterday; I'm on that list. here's a snippet:



For someone to effectively sniff this, and do it easily, the person using the app would need to be on Wifi, as well as the malicious user. That way they would be on the same network. They could then use something like Wireshark to sniff the packets of the IP address assigned to the App user, and get the information as it is being submitted (this does assume that the transmission is also going across on an insecure protocol, like HTTP).

Regardless, mitigation is also included:


Expect a new version of the App to be released in very short order.

BL.
I thought I understood this but now I'm confused. The cleartext is in a crash log. The implication of what you're saying is that the crash log is sent over WiFi, assuming it's enabled, whenever one uses the Starbucks app in a Starbucks store. Is this the case?
goatless is offline   0 Reply With Quote
Old Jan 16, 2014, 02:27 AM   #11
bradl
macrumors 68030
 
Join Date: Jun 2008
Quote:
Originally Posted by goatless View Post
I thought I understood this but now I'm confused. The cleartext is in a crash log. The implication of what you're saying is that the crash log is sent over WiFi, assuming it's enabled, whenever one uses the Starbucks app in a Starbucks store. Is this the case?
Actually, I think you're right, and I stand corrected. This is definitely in a log, which the data could be used on the innocent user's own device, the malicious user's device, or on Starbuck's website. So at the very least, to exploit this, the malicious user would need access to the innocent user's iOS device to collect the data. Once they have that, it could be used anywhere.

Either way, the storage of that in cleartext on the device is not good. When I initially read this, the example included the form that was used for submission, so I naturally thought that it was submitted in clear text when a purchase was made. That would have been worse.

BL.
bradl is offline   0 Reply With Quote
Old Jan 16, 2014, 03:09 AM   #12
dollystereo
macrumors 6502a
 
Join Date: Oct 2004
Location: France
anyway, Starbuck coffe is so bad (wait it shouldnt be called coffe)... what I was going to say?
__________________
MBP, MP
dollystereo is offline   1 Reply With Quote
Old Jan 16, 2014, 03:28 AM   #13
eastercat
macrumors 68040
 
eastercat's Avatar
 
Join Date: Mar 2008
Location: PDX
I buy their green tea soy latte on occasion and I use the app. I knew Starbucks sucked, but this is a level of corporate stupidity that is sadly not surprising.
__________________
64 GB space grey iPhone 5S (AT&T); 16 GB space grey iPad retina mini (Verizon with T-Mobile sim); 2014 rMBP 2.8 GHz quad core i7, 16 GB RAM, 1TB SSD, Nvidia GeForce GT 750M
eastercat is offline   0 Reply With Quote
Old Jan 16, 2014, 03:51 AM   #14
pnoyblazed
macrumors 6502a
 
Join Date: Mar 2008
Location: Rockland/Manhattan/Bay Area
does that mean this app will finally get iOS7 support?
pnoyblazed is offline   3 Reply With Quote
Old Jan 16, 2014, 03:56 AM   #15
cclloyd
macrumors 68000
 
cclloyd's Avatar
 
Join Date: Oct 2011
Location: Alpha Centauri A
I hope Dunkin Donuts does the same, cause Stahbucks sucks.
__________________
iPhone 5 Sprint w/ iOS 7.0.4 Jailbroken
iPad mini Retina w/ iOS 7.0.4 Jailbroken
MacBook Pro Retina Early 2013
cclloyd is offline   0 Reply With Quote
Old Jan 16, 2014, 04:37 AM   #16
roadbloc
macrumors 604
 
roadbloc's Avatar
 
Join Date: Aug 2009
Location: UK
Tut tut. Good job I don't go to Starbucks. Or have an iPhone.
__________________
roadbloc is offline   0 Reply With Quote
Old Jan 16, 2014, 04:38 AM   #17
dangerly
macrumors regular
 
Join Date: Oct 2009
Starbucks coffees/products are awful, who wants to use an app to purchase it in the first place?
dangerly is offline   1 Reply With Quote
Old Jan 16, 2014, 04:38 AM   #18
baryon
macrumors 68030
 
baryon's Avatar
 
Join Date: Oct 2009
You know all those "crazy people" who always come up with paranoid conspiracy theories? The ones that keep saying "your phone is being tracked by the government! Big companies are selling your information to other companies! We are all being spied on!"?

Well I hate to admit it but they were right all along!
__________________
Sent from my iPod Shuffle
baryon is offline   0 Reply With Quote
Old Jan 16, 2014, 04:39 AM   #19
Elijen
macrumors regular
 
Join Date: May 2012
Terrible coffee, terrible app. What did you expect?
Elijen is offline   3 Reply With Quote
Old Jan 16, 2014, 04:56 AM   #20
TC03
macrumors 6502a
 
Join Date: Aug 2008
Maybe it is time to make unencrypted password storage illegal. For literally every company or service you have to make an account, we have to be sure we can trust these companies.
TC03 is offline   0 Reply With Quote
Old Jan 16, 2014, 05:16 AM   #21
MacsRgr8
macrumors 604
 
MacsRgr8's Avatar
 
Join Date: Sep 2002
Location: The Netherlands
Quote:
Originally Posted by Elijen View Post
Terrible coffee, terrible app. What did you expect?
LOL yep.
When a food and drinks company tries to get customers to their locations by offering free Wifi, you know something isn't quite right with their core-product.
__________________
Steve Jobs. 1955 - 2011. My Hero.
MacsRgr8 is offline   0 Reply With Quote
Old Jan 16, 2014, 05:56 AM   #22
iapplelove
macrumors 68000
 
iapplelove's Avatar
 
Join Date: Nov 2011
Location: East Coast USA
Thankfully I don't drink coffee
__________________
15" MBP/iphone 6 Plus 128gb/ipad Air 64gb/ipod nano/apple tv 3rd gen.
iapplelove is offline   0 Reply With Quote
Old Jan 16, 2014, 06:30 AM   #23
cdmoore74
macrumors 68000
 
Join Date: Jun 2010
Quote:
Originally Posted by Elijen View Post
Terrible coffee, terrible app. What did you expect?
Well it is a place where hipsters show off their ipads and Mac Books.
cdmoore74 is offline   0 Reply With Quote
Old Jan 16, 2014, 06:35 AM   #24
Shrink
macrumors Demi-God
 
Shrink's Avatar
 
Join Date: Feb 2011
Location: New England, USA
And just one more reason to avoid Starbucks...even if you pay with cash!
__________________
Two things are infinite, the universe and human stupidity; and I'm not sure about the universe. -- Albert Einstein
Shrink is offline   0 Reply With Quote
Old Jan 16, 2014, 06:36 AM   #25
alent1234
macrumors 603
 
Join Date: Jun 2009
The coffee is so bad, there is always a line of people waiting to buy it
alent1234 is offline   6 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > iOS Blog Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Older iPhone problem on location of passwords daytona iPhone Tips, Help and Troubleshooting 2 Mar 11, 2014 06:45 PM
iPhone: Risk of unencrypted data expergo Jailbreaks and iOS Hacks 9 Nov 28, 2013 09:40 PM
iCloud app data backups - store passwords? Retired Cat iCloud and Apple Services 2 Jun 22, 2013 12:03 PM
Location-based App to turn off/on cellular data? hapner2 iPhone Tips, Help and Troubleshooting 1 Feb 20, 2013 10:39 PM
App icon data location (when pasted in) Let's Sekuhara! Mac Programming 7 Jul 3, 2012 09:35 PM

Forum Jump

All times are GMT -5. The time now is 02:19 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC