Starbucks iOS App Updated to Secure Personal Information [Updated x2]

deeddawg · Jan 17, 2014

Not to defend Starbucks , but do try to use a little common sense.

There's essentially two scenarios...

(1) The executives, managers, and teams involved in building the app truly didn't care, intentionally designed the app to store passwords in clear text, and this decision was consciously discussed and signed off on at all levels in the company.

or (2) Some coder f'd up and didn't bother to store passwords securely, everyone assumed the coder had done it right and didn't think to double-check, and when the news came out there was a major crisis / panic to find/fix whatever code was storing the passwords.

Which is more probable...

unplugme71 · Jan 17, 2014

iMarc845 said:
Attention MacRumors Staff:

This article has two updates on it. Here's a request: PLEASE provide a Date- and Time-Stamp on your article updates.

It is useful to know, for instance, how much time elapsed between when the App update to 2.6.2 was "pulled" and when it re-appeared.

Thank you!

You do realize this will not be accurate. It could be fixed and no one notices or reports it for 15 min or 15 days.

Shrink · Jan 17, 2014

Mums said:
You know they were selling the information.

I'm not crazy about the NSA spying on me, but knowing that others know I go to Starbucks would be terminally embarrassing!

I joke...I kid...I come from love!

petsounds · Jan 17, 2014

If they're not sending the user/pass over the wire via HTTPS, and I imagine they aren't, this is really a useless gesture. Unfortunately, storing in plaintext and sending raw passwords over HTTP is the norm and not the exception with apps. Apple should really require higher standards in this regard.

seamer · Jan 17, 2014

How did this get passed Apple's review process?

iMerik · Jan 17, 2014

The original update "What's New" log just mentioned general bug fixes and enhancements. Now the reposted update says, "additional performance enhancements and safeguards." I'm guessing that's why the update disappeared, just to change the change log.

----------

petsounds said:
If they're not sending the user/pass over the wire via HTTPS, and I imagine they aren't, this is really a useless gesture. Unfortunately, storing in plaintext and sending raw passwords over HTTP is the norm and not the exception with apps. Apple should really require higher standards in this regard.

Yes. General users should at least have an easy way to know if their app is doing this.

theBB · Jan 17, 2014

deeddawg said:
Not to defend Starbucks , but do try to use a little common sense.

There's essentially two scenarios...

(1) The executives, managers, and teams involved in building the app truly didn't care, intentionally designed the app to store passwords in clear text, and this decision was consciously discussed and signed off on at all levels in the company.

or (2) Some coder f'd up and didn't bother to store passwords securely, everyone assumed the coder had done it right and didn't think to double-check, and when the news came out there was a major crisis / panic to find/fix whatever code was storing the passwords.

Which is more probable...

The executives were interviewed and they claimed they were aware of the problem for some time, long before the information was public. They may not have designed the security flaw intentionally, but they did not care to fix it until it turned into a PR disaster. In other words, none of the above.

C DM · Jan 17, 2014

theBB said:
The executives were interviewed and they claimed they were aware of the problem for some time, long before the information was public. They may not have designed the security flaw intentionally, but they did not care to fix it until it turned into a PR disaster. In other words, none of the above.

Or they were working on fixing it and releasing a fix before the flaw was made widely public to avoid more abuse of it. Fairly standard practice when it comes to security flaws.

iMarc845 · Jan 18, 2014

unplugme71 said:
You do realize this will not be accurate. It could be fixed and no one notices or reports it for 15 min or 15 days.

Yes, I do and you are correct.

My point is much more about knowing when MacRumors made their updates. The content of those updates may or may not be timely. I don't understand why putting a Date- and Time-Stamp wouldn't be SOP.

SusanK · Jan 18, 2014

seamer said:
How did this get passed Apple's review process?

Apple and Starbucks are in love.

SockRolid · Jan 18, 2014

kdarling said:
In this case, the data was being stored as part of an optional Crashlytics clear text crash log file used for debugging.

This is why I dislike ever using someone else's add-on tools. Only trust code you write yourself, or at least vet all the output of the third party tools you're using.

Roger that.

vpndev · Jan 18, 2014

details ?

I've seen various claims about what the app was doing (i.e. before it was fixed).

Was it storing passwords in plain-text, or sending plain-text on the network, or both? I've seen claim that it was both but have no way to be sure.

And, does anyone know how it works with the update? Are passwords protected, are the credentials protected in transit, or both ??

kdarling · Jan 18, 2014

vpndev said:
Was it storing passwords in plain-text, or sending plain-text on the network, or both? I've seen claim that it was both but have no way to be sure.

The Starbucks app itself neither stored nor sent clear text passwords.

The problem was that a third party logging library could store the login HTML page with your username & password embedded in it. (Apparently the Starbucks app saves that info to make multiple usage easier.)

This particular logging occurred if the app crashed on the login screen, or if the app was put into the background while on the login screen, and the phone put to sleep.

Thus if your phone was stolen, the thief could go look at the crash log and probably find your login info. Which they could use to go buy a lot of lattes or something. (Does Starbucks sell anything really expensive? And don't you have to refill its purchasing power once in a while? Not sure.)

Of course, if a thief is actually spending time searching your phone, your coffee login is probably one of the less important pieces of info.

And, does anyone know how it works with the update? Are passwords protected, are the credentials protected in transit, or both ??

Apparently the app was changed to no longer store the username/password in the clear in the login page, so any crash log would not contain the info.

As a side note, the Android version did not need an update.

mrgraff · Jan 19, 2014

kdarling said:
Thus if your phone was stolen, the thief could go look at the crash log and probably find your login info. Which they could use to go buy a lot of lattes or something. (Does Starbucks sell anything really expensive? And don't you have to refill its purchasing power once in a while? Not sure.)

Of course, if a thief is actually spending time searching your phone, your coffee login is probably one of the less important pieces of info.

A thief is not trying to steal your coffee-buying power. The thief is hoping that you're careless enough to use the same login for more important accounts.

kdarling · Jan 19, 2014

mrgraff said:
A thief is not trying to steal your coffee-buying power. The thief is hoping that you're careless enough to use the same login for more important accounts.

Yeah, that hit me later on

Thanks for pointing that out, though!

A good reminder that we should all be careful about repeating passwords across sites.

deeddawg · Jan 20, 2014

theBB said:
The executives were interviewed and they claimed they were aware of the problem for some time, ... In other words, none of the above.

Then I stand corrected. Thanks.

MrSmith · Jan 20, 2014

The most *wow* thing is that people pay a third party for a drink they can get at home for free. Take a flask of coffee with you. Mugs. Pun intended.

GoCubsGo · Jan 20, 2014

^ Convenience. People like convenience...including me. I don't drink Starbucks because I'd actually have to go out of my way to get it and I don't particularly care for the frilly drinks they make. A simple grande black with room for cream or that over ice is about all I drink. I would visit their store while at work once I sucked down my travel mug of coffee and wanted more. Coffee at most companies I've worked has been vile.

bstpierre · Jan 20, 2014

blcamp said:
In App Store on iPhone (5, iOS7) it shows 2.6.1 as most recent, then 2.6.2, then an identical 2.6.1 entry again. That's messed up.

I don't have this app but I do enjoy a Starbucks from time to time. Is this app really worth the trouble? I see an awful lot of bad reviews for the app...

I don't drink coffee but I have this app. From time to time I will go into it and see what they have given away. They typically rotate through giving away song, apps, or books. Because of this, I recently got the Dark Sky app (normally $3.99) for free. I think it is worth it for that.

gnasher729 · Jan 20, 2014

kdarling said:
Yeah, that hit me later on

Thanks for pointing that out, though!

A good reminder that we should all be careful about repeating passwords across sites.

What bugs me all the time is why some sites use passwords at all. I don't need a password when I go to a store and buy stuff. Why do I need to create an account with a password if I buy something online?

sentiblue · Jan 20, 2014

That's a damn shame!!!

Any reasonable developer these days would not store personal data in plaintext... that's just given.

I'm a frequent Starbucks customer, but I have removed the app completely, regardless of their patch...

kdarling · Jan 21, 2014

sentiblue said:
I'm a frequent Starbucks customer, but I have removed the app completely, regardless of their patch...

Hmm... not sure that helps.

The old central debug log isn't removed until the new app version is started.

(Are all related directories deleted when an app is removed? I wouldn't think so, in this case, because the logger would have no idea the app was gone.)

theBB · Jan 21, 2014

C DM said:
Or they were working on fixing it and releasing a fix before the flaw was made widely public to avoid more abuse of it. Fairly standard practice when it comes to security flaws.

From the description of it, the fix is fairly simple. There is a list of "failure" that their their third party crash reporter module logs in plain text files. They just had to remove login attempts from the list of actions to be logged. It seems more like they just did not get around to it.

C DM · Jan 21, 2014

theBB said:
From the description of it, the fix is fairly simple. There is a list of "failure" that their their third party crash reporter module logs in plain text files. They just had to remove login attempts from the list of actions to be logged. It seems more like they just did not get around to it.

It's certainly possible. At the same time, there could have been more to it, either more to the fix, or something else that really needed to be changed or fixed at the same time. Hard to really know for sure, and often enough there are plenty of details that are unknown that can play a role (sometimes even a big one) in all of that.

theBB · Jan 21, 2014

kdarling said:
(Are all related directories deleted when an app is removed? I wouldn't think so, in this case, because the logger would have no idea the app was gone.)

The logger is part of the app, so the logger would also be gone along with the app. I presume the logger can only write to an area that is accessible by Starbucks app due to sandboxing. If the app is gone, I am not sure if that temporary area is wiped right away. Eventually it would be overwritten, but not sure how soon.

Starbucks iOS App Updated to Secure Personal Information [Updated x2]

macrumors G5

macrumors 68030

macrumors G3

macrumors 65816

macrumors 6502

macrumors 6502a

macrumors 68020

macrumors Sandy Bridge

macrumors member

macrumors 68000

macrumors 68000

macrumors 6502

macrumors P6

macrumors 65816

macrumors P6

macrumors G5

macrumors 68040

macrumors Nehalem

macrumors 6502a

Suspended

macrumors 6502

macrumors P6

macrumors 68020

macrumors Sandy Bridge

macrumors 68020

Our Staff