Evan Schuman: Starbucks caught storing mobile passwords in clear text
Brotman didn't specifically say that the passwords are no longer appearing in clear text. About two hours after Brotman and Garner discussed the security hole, Wood reran his tests on an updated Starbucks app, using the current iOS version, and passwords and usernames were still fully visible in clear text. This time, though, he also noticed a geolocation history file, detailing his latitude and longitude numbers for every time he asked the app to find a store.
"If you grab someone's phone, you can effectively go through this log and see effectively where this person has been," Wood said. "It's a bad thing for user privacy."
Although it is certain that Starbucks' policies permitted the clear text, the file that displayed is actually part of a capture done by a third-party crash analysis app from a company called Crashlytics, which was purchased by Twitter last year. Neither Crashlytics nor Twitter returned emails and voicemail messages seeking comment.
How do the clear-text passwords endanger shoppers? A thief would need to first steal -- or at the very least borrow for 30 minutes or so -- a victim's phone. Do you feel secure because you use PIN protection on your phone? You shouldn't, says Wood. "You don't need a user's PIN in order to pull raw data off the phone using the tool and methods I have used," he said. "So if a user's phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file." In other words, it's a simple matter for a thief to get the victim's Starbucks username and password. With those in hand, the thief could charge items to the victim's account, until all the stored value is used up.
The thief could potentially steal far more if the victim had activated an auto-replenish option, which would allow the app to repeatedly access the victim's bank account to continually add more money to the Starbucks account. Brotman said that any request for more bank funds would trigger a message to the victim -- he said it would probably be an email -- which could alert the victim to the fraud. If the victim then contacted Starbucks, the account would be shut down.
But any victim who is traveling and has email access only on her phone would not receive that fraud alert from Starbucks, and that might give the thief plenty of time to run up big charges.
Asked about that particular scenario, Garner, the Starbucks CIO, said, "What you've described is fair, at a high level. From a design perspective, this could have potentially happened." He declined commenting on more specifics because "we're getting into security measures."
More by Evan Schuman
- Evan Schuman: With Heartbleed, IT leaders are missing the point
- Evan Schuman: Social media endangers corporate secrets
- Evan Schuman: Resurrection of Full Disclosure mailing list is great news, if you're not a cyberthief
- Evan Schuman: Wal-Mart is latest big company with mobile-app security problems
- Evan Schuman: Can Starbucks get people to use its app to pay for dry cleaning?
- Evan Schuman: Is MasterCard's fraud program just another data grab?
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Evan Schuman: Transparency about data retention requires knowing what you have
- Evan Schuman: Your data exposed -- Delta, Facebook, others latest to fall into mobile app trap
- Evan Schuman: Get ready, IT; here comes the Internet of Things
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts