Starbucks Admits It Stores Unencrypted User Passwords, Location Data in iPhone App

[MacRumors]

Starbucks has admitted that its mobile payment app for iPhone does not encrypt user passwords and location data, instead storing it in a clear text format, according to a report from Computerworld.

The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.

The vulnerability was first discovered by security researcher Daniel Wood, who published his findings online for the security community after repeatedly not having success when attempting to contact Starbucks.

The coffee company tells Computerworld that it has "security measures in place now related to that". However, Wood tells The Verge that anything Starbucks does on its end "would not matter" because the vulnerability lies within the app itself.

Potential criminals would still need to physically have the phone to attain any user information, and the only information available would be user names, passwords and location data, but users of the app who had the "auto replenish" feature on would enable criminals to continually add money to the app to make Starbucks purchases.

Update: Starbucks has issued a statement acknowledging the issue and promising an expedited updated for the company's iOS app.

We'd like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.

Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.

Article Link: Starbucks Admits It Stores Unencrypted User Passwords, Location Data in iPhone App

 

[Lionel Messi]

Glad I don't have a Starbucks app in my country. Good luck cleaning that up, Starbucks.

 

[flash84x]

Really? It's not that hard to use the keychain which is built into iOS. Every competent iOS developer knows this.

 

[simon48]

Really? Just hash or encrypt them, what's the harm in doing so?

 

[deadbeef]

If they're storing it unencrypted, how are they transmitting it? Can it be sniffed?

 

[maxwelltech]

Good thing I don't have the Starbucks app, but I do use Starbucks' open WiFi quite often, so does that mean that my logon information is stored on their network?

 

[LuigiWeegee]

That's so stupid. Did they hire some Java hacker in 7th grade to code this? No, the 7th grader would at the very least use a Caesarian Shift.

----------

Good thing I don't have the Starbucks app, but I do use Starbucks' open WiFi quite often, so does that mean that my logon information is stored on their network?

If they're sniffing your packets and saving them, yeah. But I doubt it, and chances are anything you're logging into is using HTTPS.

----------

I have a complex passcode set because I'm afraid of this sort of thing. Does that encrypt all the data, or is that just used for the keychain?

 

[bradl]

Good thing I don't have the Starbucks app, but I do use Starbucks' open WiFi quite often, so does that mean that my logon information is stored on their network?

No. As this was only pertaining to their iOS app, WiFi there shouldn't be a problem. However, it all depends on who is operating the hotspot there (some are still run by ATT, for example).

This was actually posted to the Bugtraq Security mailing list yesterday; I'm on that list. here's a snippet:

Title: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application
Published: January 13, 2014
Reported to Vendor: December 2013 (no direct response)
CVE Reference: CVE-2014-0647
Credit: This issue was discovered by Daniel E. Wood
http://www.linkedin.com/in/danielewood

Product: Starbucks iOS mobile application
Version: 2.6.1 (May 02, 2013)
Vendor: Starbucks Coffee Company
URL: https://itunes.apple.com/us/app/starbucks/id331177714

Issue: Username, email address, and password elements are being stored in clear-text in the session.clslog crashlytics log file.
Location: /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog

Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at https://www.starbucks.com/account/signin. It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service.

For someone to effectively sniff this, and do it easily, the person using the app would need to be on Wifi, as well as the malicious user. That way they would be on the same network. They could then use something like Wireshark to sniff the packets of the IP address assigned to the App user, and get the information as it is being submitted (this does assume that the transmission is also going across on an insecure protocol, like HTTP).

Regardless, mitigation is also included:

To prevent sensitive user data (credentials) from being recovered by a malicious user, output sanitization should be conducted to prevent these data elements from being stored in the crashlytics log files in clear-text, if at all.

Expect a new version of the App to be released in very short order.

BL.

 

[macs4nw]

After all the brouhaha of late about privacy and security, whoever wrote this App, what were they thinking…..?

 

[goatless]

No. As this was only pertaining to their iOS app, WiFi there shouldn't be a problem. However, it all depends on who is operating the hotspot there (some are still run by ATT, for example).

This was actually posted to the Bugtraq Security mailing list yesterday; I'm on that list. here's a snippet:



For someone to effectively sniff this, and do it easily, the person using the app would need to be on Wifi, as well as the malicious user. That way they would be on the same network. They could then use something like Wireshark to sniff the packets of the IP address assigned to the App user, and get the information as it is being submitted (this does assume that the transmission is also going across on an insecure protocol, like HTTP).

Regardless, mitigation is also included:


Expect a new version of the App to be released in very short order.

BL.

I thought I understood this but now I'm confused. The cleartext is in a crash log. The implication of what you're saying is that the crash log is sent over WiFi, assuming it's enabled, whenever one uses the Starbucks app in a Starbucks store. Is this the case?

 

[bradl]

I thought I understood this but now I'm confused. The cleartext is in a crash log. The implication of what you're saying is that the crash log is sent over WiFi, assuming it's enabled, whenever one uses the Starbucks app in a Starbucks store. Is this the case?

Actually, I think you're right, and I stand corrected. This is definitely in a log, which the data could be used on the innocent user's own device, the malicious user's device, or on Starbuck's website. So at the very least, to exploit this, the malicious user would need access to the innocent user's iOS device to collect the data. Once they have that, it could be used anywhere.

Either way, the storage of that in cleartext on the device is not good. When I initially read this, the example included the form that was used for submission, so I naturally thought that it was submitted in clear text when a purchase was made. That would have been worse.

BL.

 

[dollystereo]

anyway, Starbuck coffe is so bad (wait it shouldnt be called coffe)... what I was going to say?

 

[eastercat]

I buy their green tea soy latte on occasion and I use the app. I knew Starbucks sucked, but this is a level of corporate stupidity that is sadly not surprising.

 

[pnoyblazed]

does that mean this app will finally get iOS7 support?

 

[cclloyd]

I hope Dunkin Donuts does the same, cause Stahbucks sucks.

 

[roadbloc]

Tut tut. Good job I don't go to Starbucks. Or have an iPhone.

 

[dangerly]

Starbucks coffees/products are awful, who wants to use an app to purchase it in the first place?

 

[baryon]

You know all those "crazy people" who always come up with paranoid conspiracy theories? The ones that keep saying "your phone is being tracked by the government! Big companies are selling your information to other companies! We are all being spied on!"?

Well I hate to admit it but they were right all along!

 

[Elijen]

Terrible coffee, terrible app. What did you expect?

 

[TC03]

Maybe it is time to make unencrypted password storage illegal. For literally every company or service you have to make an account, we have to be sure we can trust these companies.

 

[MacsRgr8]

Terrible coffee, terrible app. What did you expect?

LOL yep.
When a food and drinks company tries to get customers to their locations by offering free Wifi, you know something isn't quite right with their core-product.

 

[iapplelove]

Thankfully I don't drink coffee

 

[cdmoore74]

Terrible coffee, terrible app. What did you expect?

Well it is a place where hipsters show off their ipads and Mac Books.

 

[Shrink]

And just one more reason to avoid Starbucks...even if you pay with cash!

 

[alent1234]

The coffee is so bad, there is always a line of people waiting to buy it