Evan Schuman: Starbucks caught storing mobile passwords in clear text
Brotman didn't specifically say that the passwords are no longer appearing in clear text. About two hours after Brotman and Garner discussed the security hole, Wood reran his tests on an updated Starbucks app, using the current iOS version, and passwords and usernames were still fully visible in clear text. This time, though, he also noticed a geolocation history file, detailing his latitude and longitude numbers for every time he asked the app to find a store.
"If you grab someone's phone, you can effectively go through this log and see effectively where this person has been," Wood said. "It's a bad thing for user privacy."
Although it is certain that Starbucks' policies permitted the clear text, the file that displayed is actually part of a capture done by a third-party crash analysis app from a company called Crashlytics, which was purchased by Twitter last year. Neither Crashlytics nor Twitter returned emails and voicemail messages seeking comment.
How do the clear-text passwords endanger shoppers? A thief would need to first steal -- or at the very least borrow for 30 minutes or so -- a victim's phone. Do you feel secure because you use PIN protection on your phone? You shouldn't, says Wood. "You don't need a user's PIN in order to pull raw data off the phone using the tool and methods I have used," he said. "So if a user's phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file." In other words, it's a simple matter for a thief to get the victim's Starbucks username and password. With those in hand, the thief could charge items to the victim's account, until all the stored value is used up.
The thief could potentially steal far more if the victim had activated an auto-replenish option, which would allow the app to repeatedly access the victim's bank account to continually add more money to the Starbucks account. Brotman said that any request for more bank funds would trigger a message to the victim -- he said it would probably be an email -- which could alert the victim to the fraud. If the victim then contacted Starbucks, the account would be shut down.
But any victim who is traveling and has email access only on her phone would not receive that fraud alert from Starbucks, and that might give the thief plenty of time to run up big charges.
Asked about that particular scenario, Garner, the Starbucks CIO, said, "What you've described is fair, at a high level. From a design perspective, this could have potentially happened." He declined commenting on more specifics because "we're getting into security measures."
More by Evan Schuman
- Evan Schuman: The data dangers of free public Wi-Fi
- Evan Schuman: What if you can't trust your inbox?
- Evan Schuman: Supreme Court on obvious patents: Common sense isn't so horrible
- Evan Schuman: Do you know the people you're following on Twitter? Neither does Twitter, apparently
- Evan Schuman: Is Google forgetting that interactivity pays its bills?
- Evan Schuman: Killer robots? What could go wrong? Oh, yeah ...
- Evan Schuman: One law to rule all data breaches -- but let's make it a real law
- Evan Schuman: Snapchat's reputation is vanishing (unlike its images)
- Evan Schuman: Snapchat's latest feature shows why IT must tame marketing's inner monster
- Evan Schuman: With Heartbleed, IT leaders are missing the point
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!