Starbucks Clears Up Password Fault

Monday, January 20, 2014 @ 02:01 PM gHale

Starbucks fixed the problem with its iOS app that was storing passwords and location coordinates in clear text in the new version (2.6.2).

Daniel Wood, the researcher that initially discovered the security flaw, said they fixed the problem.

Starbucks iOS App Passwords Open
Quantum Physics for Computer Security
Math Model for Cyber Protection
Implementing ICS Digital Zone Separation

The app does not store the Starbucks account password in plain ext (the password is now saved in Apple’s encrypted keychain), and records only the coordinates of the last location where a customer has used their device.

“As such, I do not believe this file is a security concern as it does not aggregate geolocation data over time,” Wood said. “Your stored geolocation is overwritten each time and cannot be used to track your movement patterns over time.”

He also added the flaw was not as serious as media made it out to be.

“During the initial testing of the application, at no point was there credit card data contained within this file, only your Starbucks Card number and balance amount. At no point were Starbucks’s data servers compromised, exposing their 10 million customers to the application as some reports have suggested. This was a local exploitable vulnerability on a user’s device, not a remotely exploitable vulnerability on their servers or any other type of remote code execution vulnerability.”

Wood said he has been “in continuous communication with Starbucks” while the company was working on fixing the flaw.

Leave a Reply

You must be logged in to post a comment.