Starbucks Admits It Stores Unencrypted User Passwords, Location Data in iPhone App

Discussion in 'iOS Blog Discussion' started by MacRumors, Jan 15, 2014.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    Starbucks has admitted that its mobile payment app for iPhone does not encrypt user passwords and location data, instead storing it in a clear text format, according to a report from Computerworld.
    The vulnerability was first discovered by security researcher Daniel Wood, who published his findings online for the security community after repeatedly not having success when attempting to contact Starbucks.

    The coffee company tells Computerworld that it has "security measures in place now related to that". However, Wood tells The Verge that anything Starbucks does on its end "would not matter" because the vulnerability lies within the app itself.

    Potential criminals would still need to physically have the phone to attain any user information, and the only information available would be user names, passwords and location data, but users of the app who had the "auto replenish" feature on would enable criminals to continually add money to the app to make Starbucks purchases.

    Update: Starbucks has issued a statement acknowledging the issue and promising an expedited updated for the company's iOS app.
    Article Link: Starbucks Admits It Stores Unencrypted User Passwords, Location Data in iPhone App
     
  2. macrumors member

    Joined:
    Dec 2, 2013
    Location:
    Barcelona, Spain
    #2
    Glad I don't have a Starbucks app in my country. Good luck cleaning that up, Starbucks.
     
  3. macrumors regular

    Joined:
    Aug 5, 2011
    #3
    Really? It's not that hard to use the keychain which is built into iOS. Every competent iOS developer knows this.
     
  4. macrumors 65816

    simon48

    Joined:
    Sep 1, 2010
    #4
    Really? Just hash or encrypt them, what's the harm in doing so?
     
  5. macrumors newbie

    Joined:
    Jan 15, 2014
    #5
    If they're storing it unencrypted, how are they transmitting it? Can it be sniffed?
     
  6. macrumors 6502

    Joined:
    Dec 29, 2011
    Location:
    Irvine, CA, USA
    #6
    Good thing I don't have the Starbucks app, but I do use Starbucks' open WiFi quite often, so does that mean that my logon information is stored on their network?
     
  7. macrumors newbie

    Joined:
    Jan 15, 2014
    #7
    That's so stupid. Did they hire some Java hacker in 7th grade to code this? No, the 7th grader would at the very least use a Caesarian Shift.

    ----------

    If they're sniffing your packets and saving them, yeah. But I doubt it, and chances are anything you're logging into is using HTTPS.

    ----------

    I have a complex passcode set because I'm afraid of this sort of thing. Does that encrypt all the data, or is that just used for the keychain?
     
  8. macrumors 68030

    bradl

    Joined:
    Jun 16, 2008
    #8
    No. As this was only pertaining to their iOS app, WiFi there shouldn't be a problem. However, it all depends on who is operating the hotspot there (some are still run by ATT, for example).

    This was actually posted to the Bugtraq Security mailing list yesterday; I'm on that list. here's a snippet:

    For someone to effectively sniff this, and do it easily, the person using the app would need to be on Wifi, as well as the malicious user. That way they would be on the same network. They could then use something like Wireshark to sniff the packets of the IP address assigned to the App user, and get the information as it is being submitted (this does assume that the transmission is also going across on an insecure protocol, like HTTP).

    Regardless, mitigation is also included:
    Expect a new version of the App to be released in very short order.

    BL.
     
  9. macrumors 68030

    macs4nw

    #9
    After all the brouhaha of late about privacy and security, whoever wrote this App, what were they thinking…..?
     
  10. macrumors member

    goatless

    Joined:
    Oct 19, 2009
    #10
    I thought I understood this but now I'm confused. The cleartext is in a crash log. The implication of what you're saying is that the crash log is sent over WiFi, assuming it's enabled, whenever one uses the Starbucks app in a Starbucks store. Is this the case?
     
  11. macrumors 68030

    bradl

    Joined:
    Jun 16, 2008
    #11
    Actually, I think you're right, and I stand corrected. This is definitely in a log, which the data could be used on the innocent user's own device, the malicious user's device, or on Starbuck's website. So at the very least, to exploit this, the malicious user would need access to the innocent user's iOS device to collect the data. Once they have that, it could be used anywhere.

    Either way, the storage of that in cleartext on the device is not good. When I initially read this, the example included the form that was used for submission, so I naturally thought that it was submitted in clear text when a purchase was made. That would have been worse.

    BL.
     
  12. macrumors 6502a

    dollystereo

    Joined:
    Oct 6, 2004
    Location:
    France
    #12
    anyway, Starbuck coffe is so bad (wait it shouldnt be called coffe)... what I was going to say?
     
  13. macrumors 68040

    eastercat

    Joined:
    Mar 3, 2008
    Location:
    PDX
    #13
    I buy their green tea soy latte on occasion and I use the app. I knew Starbucks sucked, but this is a level of corporate stupidity that is sadly not surprising.
     
  14. macrumors 6502a

    Joined:
    Mar 1, 2008
    Location:
    Rockland/Manhattan/Bay Area
    #14
    does that mean this app will finally get iOS7 support?
     
  15. macrumors 68000

    cclloyd

    Joined:
    Oct 26, 2011
    Location:
    Alpha Centauri A
    #15
    I hope Dunkin Donuts does the same, cause Stahbucks sucks.
     
  16. macrumors G3

    roadbloc

    Joined:
    Aug 24, 2009
    Location:
    UK
    #16
    Tut tut. Good job I don't go to Starbucks. Or have an iPhone.
     
  17. macrumors regular

    Joined:
    Oct 27, 2009
    #17
    Starbucks coffees/products are awful, who wants to use an app to purchase it in the first place?
     
  18. macrumors 68030

    baryon

    Joined:
    Oct 3, 2009
    #18
    You know all those "crazy people" who always come up with paranoid conspiracy theories? The ones that keep saying "your phone is being tracked by the government! Big companies are selling your information to other companies! We are all being spied on!"?

    Well I hate to admit it but they were right all along!
     
  19. macrumors regular

    Joined:
    May 8, 2012
    #19
    Terrible coffee, terrible app. What did you expect?
     
  20. macrumors 65816

    Joined:
    Aug 17, 2008
    #20
    Maybe it is time to make unencrypted password storage illegal. For literally every company or service you have to make an account, we have to be sure we can trust these companies.
     
  21. macrumors 604

    MacsRgr8

    Joined:
    Sep 8, 2002
    Location:
    The Netherlands
    #21
    LOL yep.
    When a food and drinks company tries to get customers to their locations by offering free Wifi, you know something isn't quite right with their core-product. ;)
     
  22. macrumors 68020

    iapplelove

    Joined:
    Nov 22, 2011
    Location:
    East Coast USA
    #22
    Thankfully I don't drink coffee:)
     
  23. macrumors 68000

    Joined:
    Jun 24, 2010
    #23
    Well it is a place where hipsters show off their ipads and Mac Books.
     
  24. macrumors demi-god

    Shrink

    Joined:
    Feb 26, 2011
    Location:
    New England, USA
    #24
    And just one more reason to avoid Starbucks...even if you pay with cash!:p
     
  25. macrumors 603

    Joined:
    Jun 19, 2009
    #25
    The coffee is so bad, there is always a line of people waiting to buy it
     

Share This Page