Starbucks Admits It Stores Unencrypted User Passwords, Location Data in iPhone App

Discussion in 'iOS Blog Discussion' started by MacRumors, Jan 15, 2014.

  1. MacRumors macrumors bot


    Apr 12, 2001

    Starbucks has admitted that its mobile payment app for iPhone does not encrypt user passwords and location data, instead storing it in a clear text format, according to a report from Computerworld.
    The vulnerability was first discovered by security researcher Daniel Wood, who published his findings online for the security community after repeatedly not having success when attempting to contact Starbucks.

    The coffee company tells Computerworld that it has "security measures in place now related to that". However, Wood tells The Verge that anything Starbucks does on its end "would not matter" because the vulnerability lies within the app itself.

    Potential criminals would still need to physically have the phone to attain any user information, and the only information available would be user names, passwords and location data, but users of the app who had the "auto replenish" feature on would enable criminals to continually add money to the app to make Starbucks purchases.

    Update: Starbucks has issued a statement acknowledging the issue and promising an expedited updated for the company's iOS app.
    Article Link: Starbucks Admits It Stores Unencrypted User Passwords, Location Data in iPhone App
  2. Lionel Messi macrumors regular

    Dec 2, 2013
    Barcelona, Spain
    Glad I don't have a Starbucks app in my country. Good luck cleaning that up, Starbucks.
  3. flash84x macrumors regular

    Aug 5, 2011
    Really? It's not that hard to use the keychain which is built into iOS. Every competent iOS developer knows this.
  4. simon48 macrumors 65816


    Sep 1, 2010
    Really? Just hash or encrypt them, what's the harm in doing so?
  5. deadbeef macrumors newbie

    Jan 15, 2014
    If they're storing it unencrypted, how are they transmitting it? Can it be sniffed?
  6. maxwelltech macrumors 6502


    Dec 29, 2011
    Irvine, CA, USA
    Good thing I don't have the Starbucks app, but I do use Starbucks' open WiFi quite often, so does that mean that my logon information is stored on their network?
  7. LuigiWeegee macrumors newbie

    Jan 15, 2014
    That's so stupid. Did they hire some Java hacker in 7th grade to code this? No, the 7th grader would at the very least use a Caesarian Shift.


    If they're sniffing your packets and saving them, yeah. But I doubt it, and chances are anything you're logging into is using HTTPS.


    I have a complex passcode set because I'm afraid of this sort of thing. Does that encrypt all the data, or is that just used for the keychain?
  8. bradl macrumors 68040


    Jun 16, 2008
    No. As this was only pertaining to their iOS app, WiFi there shouldn't be a problem. However, it all depends on who is operating the hotspot there (some are still run by ATT, for example).

    This was actually posted to the Bugtraq Security mailing list yesterday; I'm on that list. here's a snippet:

    For someone to effectively sniff this, and do it easily, the person using the app would need to be on Wifi, as well as the malicious user. That way they would be on the same network. They could then use something like Wireshark to sniff the packets of the IP address assigned to the App user, and get the information as it is being submitted (this does assume that the transmission is also going across on an insecure protocol, like HTTP).

    Regardless, mitigation is also included:
    Expect a new version of the App to be released in very short order.

  9. macs4nw macrumors 601


    After all the brouhaha of late about privacy and security, whoever wrote this App, what were they thinking…..?
  10. goatless macrumors member


    Oct 19, 2009
    I thought I understood this but now I'm confused. The cleartext is in a crash log. The implication of what you're saying is that the crash log is sent over WiFi, assuming it's enabled, whenever one uses the Starbucks app in a Starbucks store. Is this the case?
  11. bradl macrumors 68040


    Jun 16, 2008
    Actually, I think you're right, and I stand corrected. This is definitely in a log, which the data could be used on the innocent user's own device, the malicious user's device, or on Starbuck's website. So at the very least, to exploit this, the malicious user would need access to the innocent user's iOS device to collect the data. Once they have that, it could be used anywhere.

    Either way, the storage of that in cleartext on the device is not good. When I initially read this, the example included the form that was used for submission, so I naturally thought that it was submitted in clear text when a purchase was made. That would have been worse.

  12. dollystereo macrumors 6502a


    Oct 6, 2004
    anyway, Starbuck coffe is so bad (wait it shouldnt be called coffe)... what I was going to say?
  13. eastercat macrumors 68040


    Mar 3, 2008
    I buy their green tea soy latte on occasion and I use the app. I knew Starbucks sucked, but this is a level of corporate stupidity that is sadly not surprising.
  14. pnoyblazed macrumors 6502a


    Mar 1, 2008
    does that mean this app will finally get iOS7 support?
  15. cclloyd macrumors 68000


    Oct 26, 2011
    Alpha Centauri A
    I hope Dunkin Donuts does the same, cause Stahbucks sucks.
  16. roadbloc macrumors G3


    Aug 24, 2009
    Tut tut. Good job I don't go to Starbucks. Or have an iPhone.
  17. dangerly macrumors regular


    Oct 27, 2009
    European Dis-Union
    Starbucks coffees/products are awful, who wants to use an app to purchase it in the first place?
  18. baryon macrumors 68040


    Oct 3, 2009
    You know all those "crazy people" who always come up with paranoid conspiracy theories? The ones that keep saying "your phone is being tracked by the government! Big companies are selling your information to other companies! We are all being spied on!"?

    Well I hate to admit it but they were right all along!
  19. Elijen macrumors 6502


    May 8, 2012
    Terrible coffee, terrible app. What did you expect?
  20. TC03 macrumors 65816

    Aug 17, 2008
    Maybe it is time to make unencrypted password storage illegal. For literally every company or service you have to make an account, we have to be sure we can trust these companies.
  21. MacsRgr8 macrumors 604


    Sep 8, 2002
    The Netherlands
    LOL yep.
    When a food and drinks company tries to get customers to their locations by offering free Wifi, you know something isn't quite right with their core-product. ;)
  22. iapplelove macrumors 601


    Nov 22, 2011
    East Coast USA
  23. cdmoore74 macrumors 68020

    Jun 24, 2010
    Well it is a place where hipsters show off their ipads and Mac Books.
  24. Shrink macrumors G3


    Feb 26, 2011
    New England, USA
    And just one more reason to avoid Starbucks...even if you pay with cash!:p
  25. alent1234 macrumors 603

    Jun 19, 2009
    The coffee is so bad, there is always a line of people waiting to buy it

Share This Page

67 January 15, 2014