Starbucks fixes password-related flaw in its iOS app
Posted on 20 January 2014.
If you have followed last week's hullabaloo about the Starbucks iOS app found storing passwords and location coordinates in clear text, and you have been worried about your information being compromised, update the app and worry no more.

Starbucks said it has fixed the issue in the new version (2.6.2) of the iOS app and, according to Daniel Wood, the researcher that initially discovered the security flaw, the issue is now resolved.

The app does not longer store the Starbucks account password in plaintext (the password is now saved in Apple's encrypted keychain), and records only the coordinates of the last location where a customer has used their device.

"As such, I do not believe this file is a security concern as it does not aggregate geolocation data over time," he noted in an email sent to the Full Disclosure mailing list. "Your stored geolocation is overwritten each time and cannot be used to track your movement patterns over time."

He also added that the flaw was not as serious as media made it out to be.

"During the initial testing of the application, at no point was there credit card data contained within this file, only your Starbucks Card number and balance amount. At no point were Starbucks's data servers compromised, exposing their 10 million customers to the application as some reports have suggested. This was a local exploitable vulnerability on a users device, not a remotely exploitable vulnerability on their servers or any other type of remote code execution vulnerability."

As a side note: Wood says that he has been "in continuous communication with Starbucks" while the company was working on fixing the flaw. According to Evan Schuman, Wood has been temporarily retained by the company as a security consultant (albeit unpaid for the time being).


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th