Evan Schuman: Starbucks releases security fix for mobile app
No independent verification yet that the problem has been eradicated
Computerworld - Starbucks late Thursday (Jan. 16) posted a new version of its iOS mobile-payment app, one that the company says fixes the password-in-plain-text situation that I reported on Wednesday (Jan. 15). I have been unable to verify as yet whether the new version does indeed halt the key problems with the earlier version, which also disclosed in clear text account name, email address and geolocation details.
Daniel Wood, the security researcher who first discovered the holes -- and who, at Computerworld's request late on Tuesday, reran the tests after Starbucks said it had imposed additional security protections -- said today that he is "almost 100% certain" that the clear-text password problem is gone. "The file that was containing that data is no longer storing that data," he said, adding that he is still "checking to see if [the sensitive data] is trapped somewhere else." The passwords and related info are now saved in Apple's encrypted keychain, Wood said.
It should be pointed out, though, that Wood is no longer the independent security researcher that he was two days ago, since Starbucks has now brought him on as a security consultant, along with the standard nondisclosure agreement. Wood said it is, at this time, an unpaid role.
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at firstname.lastname@example.org and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.
More by Evan Schuman
- Evan Schuman: What if you can't trust your inbox?
- Evan Schuman: Supreme Court on obvious patents: Common sense isn't so horrible
- Evan Schuman: Do you know the people you're following on Twitter? Neither does Twitter, apparently
- Evan Schuman: Is Google forgetting that interactivity pays its bills?
- Evan Schuman: Killer robots? What could go wrong? Oh, yeah ...
- Evan Schuman: One law to rule all data breaches -- but let's make it a real law
- Evan Schuman: Snapchat's reputation is vanishing (unlike its images)
- Evan Schuman: Snapchat's latest feature shows why IT must tame marketing's inner monster
- Evan Schuman: With Heartbleed, IT leaders are missing the point
- Evan Schuman: Social media endangers corporate secrets
Read more about Mobile Payments in Computerworld's Mobile Payments Topic Center.
- Improving IT Efficiencies: Four Advantages of Multi-Tenant Data Centers Increasing demands on IT are forcing organizations to rethink their data center options. For many organizations, that means turning to the flexibility afforded...
- Accelerating Cloud Deployment and Operations with Managed Services Companies that do not have sufficient in-house expertise to either deploy or maintain an IaaS cloud should turn to Managed Service Providers .
- Rethinking IT Operations in the Cloud This paper breaks down the challenges that often prevent the cloud from delivering the fast, flexible and affordable infrastructure companies seek - and...
- Gartner Magic Quadrant for Cloud-Enabled Managed Hosting, North America Cloud-enabled managed hosting brings cloudlike consumption and provisioning attributes to the traditional managed hosting market
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Mobile Payments White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!