Starbucks Admits It Stores Unencrypted User Passwords, Location Data in iPhone App

[alent1234]

Personally, I hate going anywhere where asking for "a cup of coffee" produces a blank look...

they have 3 different roasts of generic coffee daily

unless you go to a micky dees almost every coffee place i see will have a choice of different brews daily

 

[gnasher729]

With all the insecurity in computer systems these days (Target, Neimans) the Starbucks app is really only a distraction. Someone would have to have physical access to your phone or backup file to get the UID and PW. And even then you are talking about credit for coffees. What's the downside here - $20.

Hack one computer at Target and Neimans and get millions of names etc.
Get access to one iPhone and get the data of one user. Only makes sense if someone is specifically targeting _you_. Just don't use a password that you use for anything important.

----------

A device passcode doesn't help in this case, since reportedly the password is stored neither in the keychain, nor is iOS data protection used for the application data.

The device passcode does help, because anyone stealing a phone with passcode lock is absolutely incapable of reading any data on it.

When you backup your iPhone to your computer with iTunes, turn "encryption" on. Otherwise, someone stealing your Mac could go through the backups and get data out of that.

 

[Rigby]

The device passcode does help, because anyone stealing a phone with passcode lock is absolutely incapable of reading any data on it.

You're wrong. The unprotected memory can be accessed via the USB port using tools such as iExplorer under the right circumstances.

 

[alent1234]

You're wrong. The unprotected memory can be accessed via the USB port using tools such as iExplorer under the right circumstances.

and once i change my passwords how much damage can be done?

 

[kerrikins]

I'm very surprised to read all of the anti-Starbucks comments in this thread. Here in Canada, Starbucks is known as the second-best place to get a good coffee, after the now-more-popular Tim Hortons. Starbucks is known for its expensive prices, but quality product.

I think Starbucks is best at basic drip coffee and their flavoured drinks. Their espresso just doesn't compare to other places, and neither does their coffee. But when I look around Starbucks that's what I see a lot of people getting... It's also a good place for business people to go, since I have a feeling they prefer to line up at Starbucks over Timmy's.

I never connect to wifi on my phone when I'm out because of concerns over public networks, does this mean I have less to worry about? Hopefully they get an update out quickly.

 

[Mac.Pro]

Well it is a place where hipsters show off their ipads and Mac Books.

Not always. I've seen a guy with an iMac. If anyone reading this is thinking of that famous picture of a guy at Starbucks with an iMac, I might have been there.

 

[Consultant]

Personally, I hate going anywhere where asking for "a cup of coffee" produces a blank look...

Actually, Starbucks does sell "cup of coffee". You can even tell them the size you want in terms of small, medium, or large.

 

[Amazing Iceman]

At this point in time, after all the scandals related to unencrypted passwords and all the security awareness that has been raised for the past few years, this is unacceptable and inexcusable.
Whoever the developers are, they should be fired (well, give them a good scare and give them a second chance).

 

[pnoyblazed]

I believe the update was just released...I was hoping for an iOS7 redesign to go along with that

 

[IvanX]

To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.

So what they are saying is: trust us now, even though we can't tell you what we did and even though we betrayed it (your trust) already. Yeah, jog on

 

[koa]

FWIW, I am far from a hipster, I don't fit the requirements both in age and physical appearance, but I have drank Blue Mountain coffee and I enjoyed the **** out of it.

Try Kopi Luwak, you'll really enjoy the **** out of it.

 

[Shrink]

Try Kopi Luwak, you'll really enjoy the **** out of it.

Well, just in case anyone is concerned, they do kind of brush off the beans before bagging.

 

[hindmost]

Had a 'Gold Card' since they were introduced. But not long ago I bought a Keurig machine and though I use Starbuck coffee (Sumatra) packets I do not frequent the Starbucks stores as much anymore.

Result? They took me off 'Gold' status. Who cares! Also their IOS app is terrible, constant bombardment of cheapo offers and lousy 'free' music downloads.

This exposure that they do not even encrypt the accounts was the last straw. I just ditched the Starbucks app from my iPhone.

 

[bradl]

Why because you hate convenience and free drinks and discounts?

With all the insecurity in computer systems these days (Target, Neimans) the Starbucks app is really only a distraction. Someone would have to have physical access to your phone or backup file to get the UID and PW. And even then you are talking about credit for coffees. What's the downside here - $20.

In some people's defense, the app does have the functionality to reload your Starbuck's card via PayPal. If authentication is being passed through to PayPal's site (read: credentials automatically filled in, not prompting you to type your password), the malicious user would have access to the victim's bank accounts, making the situation a lot worse than just $20. Long shot, but that situation could exist.

Either way, Starbucks updated their app this morning, so we'll see if they fixed the problem.

Had a 'Gold Card' since they were introduced. But not long ago I bought a Keurig machine and though I use Starbuck coffee (Sumatra) packets I do not frequent the Starbucks stores as much anymore.

We did the same. Having two children really does reduce the time to go out to get coffee. We could make similar at home, and save the gas used to get it.

We are still on Gold status, as when traveling, it does come in handy. But do my wife and I go there like we used to? no. There are 4 Starbucks in a 1 block radius of my work; I'm looking at one across the street. On the other side of that, there is one inside Barnes and Noble, a third next door to that inside Target, and a fourth across the other street, next to Walmart..

I haven't been in either of those in over a year.

BL.

 

[WaxedJacket]

You'd think the billion dollar company would put some effort into updating their clunky and outdated app.

 

[gnasher729]

You're wrong. The unprotected memory can be accessed via the USB port using tools such as iExplorer under the right circumstances.

Not if the phone is passcode locked. If the phone is locked with a passcode, then for example the US police is totally incapable of reading _anything_ on that phone.

You are welcome to explain what "right circumstances" you are talking about.

 

[dXTC]

Actually, Starbucks does sell "cup of coffee". You can even tell them the size you want in terms of small, medium, or large.

Umm... Foamy the Squirrel would like to have a word with you on that. (Potentially NSFW, so I decided not to embed it.)

 

[Rigby]

Not if the phone is passcode locked. If the phone is locked with a passcode, then for example the US police is totally incapable of reading _anything_ on that phone.

If that were true, the "US police" would simply not be using the right forensic tools. But I doubt that it is.

Here's something to think about: Why, do you think, is Apple encouring the encryption of sensitive data on the device via Keychain and file-based iOS data protection?