01-15-2014 05:59 PM
Fresh off the press!
According to a new CNNMoney article, a security researcher who, like many of us, also happens to be a Starbucks customer, discovered that the popular Starbucks app (available on iOS and Android) that let's users make Starbucks purchases right from their mobile devices, stores user info such as passwords and email addresses in plain text. That's a problem...
"That means a hacker could pick up a left-behind phone, plug it into a laptop and easily recover a Starbucks customer's password without even knowing the smartphone's PIN code...if a hacker does obtain the password, it would allow him or her access to money stored in the customer's Starbucks account. Customers could be at greater risk if they use the same password for other sites."
A spokeswoman for Starbucks acknowledged the vulnerability, but went onto say that 'the possibility of the vulnerability being exploited is "very far fetched"...Not quite. While it's true that the potential hacker would need to have access to the customer's phone, have a computer on hand, and know how to access the file to extract the info, that scenario isn't what we in the security industry would call far fetched.
On top of this, Starbucks didn't say whether the app has been updated to fix the vulnerability. Chances are, however, that it wasn't, considering the last update for the Apple version was in May 2013 and September 2013 for Android.
We'll be keeping an eye out for updates to this developing story. In the meantime, you can read the CNN article by clicking the aforementioned link.
01-15-2014 06:05 PM
Far fetched? Really? I am sure that the vendors of mobile phone security software that does lock and location fucntions such as Webroot would find that.... interesting to say the least.
I would also guess that for the untold 1000's of phone owners who have been victim of phone theft that they would not consider it to be so far fetched either.
Really, that is one of the most inappropriate responses to a security hazard that I think I have heard in quite a while. Shame on Starbucks, but perhaps their Public Relations people forgot to consult with their IT before commenting?
New to the Community? Register now and start posting!
Helpful Webroot Links:
01-16-2014 11:19 AM
Starbucks has reacted to the news that its iOS mobile app stores passwords and other personal details in easily-extracted cleartext, updating the app to address the security flaws, though insisting that there have been no reported cases of actual exploits so far. The Starbucks iOS app was found to save each user's password, username, and email address, along with geolocation tracking data as unencrypted text, a huge potential security hazard that the coffee company now says it's patching.
Exactly what it's doing to address those shortcomings isn't explained, though it's going to be a two-stage process. First there are new "safeguards" which the company says it has already implemented to protect information - Starbucks says that to "protect the integrity of these added measures" it won't be detailing what it did - while a new app version is in the pipeline.
Its release is being accelerated, and will "add extra layers of protection", again unspecified. The app will be "ready soon" Starbucks promises.
"There is no indication that any customer has been impacted by this" Starbucks chief information officer Cut Garner maintains, "or that any information has been compromised." The CIO also insists that the company takes such security flaws seriously, though security researcher Daniel Wood who first spotted the issue claims that he notified Starbucks back in November 2013, but received no response.