Evan Schuman: Starbucks releases security fix for mobile app
No independent verification yet that the problem has been eradicated
Computerworld - Starbucks late Thursday (Jan. 16) posted a new version of its iOS mobile-payment app, one that the company says fixes the password-in-plain-text situation that I reported on Wednesday (Jan. 15). I have been unable to verify as yet whether the new version does indeed halt the key problems with the earlier version, which also disclosed in clear text account name, email address and geolocation details.
Daniel Wood, the security researcher who first discovered the holes -- and who, at Computerworld's request late on Tuesday, reran the tests after Starbucks said it had imposed additional security protections -- said today that he is "almost 100% certain" that the clear-text password problem is gone. "The file that was containing that data is no longer storing that data," he said, adding that he is still "checking to see if [the sensitive data] is trapped somewhere else." The passwords and related info are now saved in Apple's encrypted keychain, Wood said.
It should be pointed out, though, that Wood is no longer the independent security researcher that he was two days ago, since Starbucks has now brought him on as a security consultant, along with the standard nondisclosure agreement. Wood said it is, at this time, an unpaid role.
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at firstname.lastname@example.org and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.
More by Evan Schuman
- Evan Schuman: With Heartbleed, IT leaders are missing the point
- Evan Schuman: Social media endangers corporate secrets
- Evan Schuman: Resurrection of Full Disclosure mailing list is great news, if you're not a cyberthief
- Evan Schuman: Wal-Mart is latest big company with mobile-app security problems
- Evan Schuman: Can Starbucks get people to use its app to pay for dry cleaning?
- Evan Schuman: Is MasterCard's fraud program just another data grab?
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Evan Schuman: Transparency about data retention requires knowing what you have
- Evan Schuman: Your data exposed -- Delta, Facebook, others latest to fall into mobile app trap
- Evan Schuman: Get ready, IT; here comes the Internet of Things
Read more about Mobile Payments in Computerworld's Mobile Payments Topic Center.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Mobile Payments White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!