Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Starbucks Admits It Stores Unencrypted User Passwords, Location Data in iPhone App

MacRumors

macrumors bot
Original poster
Apr 12, 2001
51,028
12,565



Starbucks has admitted that its mobile payment app for iPhone does not encrypt user passwords and location data, instead storing it in a clear text format, according to a report from Computerworld.
The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.
The vulnerability was first discovered by security researcher Daniel Wood, who published his findings online for the security community after repeatedly not having success when attempting to contact Starbucks.

The coffee company tells Computerworld that it has "security measures in place now related to that". However, Wood tells The Verge that anything Starbucks does on its end "would not matter" because the vulnerability lies within the app itself.

Potential criminals would still need to physically have the phone to attain any user information, and the only information available would be user names, passwords and location data, but users of the app who had the "auto replenish" feature on would enable criminals to continually add money to the app to make Starbucks purchases.

Update: Starbucks has issued a statement acknowledging the issue and promising an expedited updated for the company's iOS app.
We'd like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.

Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.

Article Link: Starbucks Admits It Stores Unencrypted User Passwords, Location Data in iPhone App
 

flash84x

macrumors regular
Aug 5, 2011
189
132
Really? It's not that hard to use the keychain which is built into iOS. Every competent iOS developer knows this.
 
Comment

simon48

macrumors 65816
Sep 1, 2010
1,315
88
Really? Just hash or encrypt them, what's the harm in doing so?
 
Comment

deadbeef

macrumors newbie
Jan 15, 2014
1
0
If they're storing it unencrypted, how are they transmitting it? Can it be sniffed?
 
Comment

maxwelltech

macrumors 6502
Dec 29, 2011
419
102
Irvine, CA, USA
Good thing I don't have the Starbucks app, but I do use Starbucks' open WiFi quite often, so does that mean that my logon information is stored on their network?
 
Comment

LuigiWeegee

macrumors newbie
Jan 15, 2014
5
0
That's so stupid. Did they hire some Java hacker in 7th grade to code this? No, the 7th grader would at the very least use a Caesarian Shift.

----------

Good thing I don't have the Starbucks app, but I do use Starbucks' open WiFi quite often, so does that mean that my logon information is stored on their network?

If they're sniffing your packets and saving them, yeah. But I doubt it, and chances are anything you're logging into is using HTTPS.

----------

I have a complex passcode set because I'm afraid of this sort of thing. Does that encrypt all the data, or is that just used for the keychain?
 
Comment

bradl

macrumors 601
Jun 16, 2008
4,045
13,628
Good thing I don't have the Starbucks app, but I do use Starbucks' open WiFi quite often, so does that mean that my logon information is stored on their network?

No. As this was only pertaining to their iOS app, WiFi there shouldn't be a problem. However, it all depends on who is operating the hotspot there (some are still run by ATT, for example).

This was actually posted to the Bugtraq Security mailing list yesterday; I'm on that list. here's a snippet:

Title: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application
Published: January 13, 2014
Reported to Vendor: December 2013 (no direct response)
CVE Reference: CVE-2014-0647
Credit: This issue was discovered by Daniel E. Wood
http://www.linkedin.com/in/danielewood

Product: Starbucks iOS mobile application
Version: 2.6.1 (May 02, 2013)
Vendor: Starbucks Coffee Company
URL: https://itunes.apple.com/us/app/starbucks/id331177714

Issue: Username, email address, and password elements are being stored in clear-text in the session.clslog crashlytics log file.
Location: /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog

Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at https://www.starbucks.com/account/signin. It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service.

For someone to effectively sniff this, and do it easily, the person using the app would need to be on Wifi, as well as the malicious user. That way they would be on the same network. They could then use something like Wireshark to sniff the packets of the IP address assigned to the App user, and get the information as it is being submitted (this does assume that the transmission is also going across on an insecure protocol, like HTTP).

Regardless, mitigation is also included:
To prevent sensitive user data (credentials) from being recovered by a malicious user, output sanitization should be conducted to prevent these data elements from being stored in the crashlytics log files in clear-text, if at all.

Expect a new version of the App to be released in very short order.

BL.
 
Comment

goatless

macrumors member
Oct 19, 2009
71
27
No. As this was only pertaining to their iOS app, WiFi there shouldn't be a problem. However, it all depends on who is operating the hotspot there (some are still run by ATT, for example).

This was actually posted to the Bugtraq Security mailing list yesterday; I'm on that list. here's a snippet:



For someone to effectively sniff this, and do it easily, the person using the app would need to be on Wifi, as well as the malicious user. That way they would be on the same network. They could then use something like Wireshark to sniff the packets of the IP address assigned to the App user, and get the information as it is being submitted (this does assume that the transmission is also going across on an insecure protocol, like HTTP).

Regardless, mitigation is also included:


Expect a new version of the App to be released in very short order.

BL.

I thought I understood this but now I'm confused. The cleartext is in a crash log. The implication of what you're saying is that the crash log is sent over WiFi, assuming it's enabled, whenever one uses the Starbucks app in a Starbucks store. Is this the case?
 
Comment

bradl

macrumors 601
Jun 16, 2008
4,045
13,628
I thought I understood this but now I'm confused. The cleartext is in a crash log. The implication of what you're saying is that the crash log is sent over WiFi, assuming it's enabled, whenever one uses the Starbucks app in a Starbucks store. Is this the case?

Actually, I think you're right, and I stand corrected. This is definitely in a log, which the data could be used on the innocent user's own device, the malicious user's device, or on Starbuck's website. So at the very least, to exploit this, the malicious user would need access to the innocent user's iOS device to collect the data. Once they have that, it could be used anywhere.

Either way, the storage of that in cleartext on the device is not good. When I initially read this, the example included the form that was used for submission, so I naturally thought that it was submitted in clear text when a purchase was made. That would have been worse.

BL.
 
Comment

eastercat

macrumors 68040
Mar 3, 2008
3,323
7
PDX
I buy their green tea soy latte on occasion and I use the app. I knew Starbucks sucked, but this is a level of corporate stupidity that is sadly not surprising.
 
Comment

baryon

macrumors 68040
Oct 3, 2009
3,595
1,911
You know all those "crazy people" who always come up with paranoid conspiracy theories? The ones that keep saying "your phone is being tracked by the government! Big companies are selling your information to other companies! We are all being spied on!"?

Well I hate to admit it but they were right all along!
 
Comment

TC03

macrumors 65816
Aug 17, 2008
1,272
356
Maybe it is time to make unencrypted password storage illegal. For literally every company or service you have to make an account, we have to be sure we can trust these companies.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.