Starbucks fixes password-related flaw in its iOS app
Posted on 20 January 2014.
If you have followed last week's hullabaloo about the Starbucks iOS app found storing passwords and location coordinates in clear text, and you have been worried about your information being compromised, update the app and worry no more.

Starbucks said it has fixed the issue in the new version (2.6.2) of the iOS app and, according to Daniel Wood, the researcher that initially discovered the security flaw, the issue is now resolved.

The app does not longer store the Starbucks account password in plaintext (the password is now saved in Apple's encrypted keychain), and records only the coordinates of the last location where a customer has used their device.

"As such, I do not believe this file is a security concern as it does not aggregate geolocation data over time," he noted in an email sent to the Full Disclosure mailing list. "Your stored geolocation is overwritten each time and cannot be used to track your movement patterns over time."

He also added that the flaw was not as serious as media made it out to be.

"During the initial testing of the application, at no point was there credit card data contained within this file, only your Starbucks Card number and balance amount. At no point were Starbucks's data servers compromised, exposing their 10 million customers to the application as some reports have suggested. This was a local exploitable vulnerability on a users device, not a remotely exploitable vulnerability on their servers or any other type of remote code execution vulnerability."

As a side note: Wood says that he has been "in continuous communication with Starbucks" while the company was working on fixing the flaw. According to Evan Schuman, Wood has been temporarily retained by the company as a security consultant (albeit unpaid for the time being).


How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Fri, Sep 19th