Evan Schuman: Starbucks releases security fix for mobile app
No independent verification yet that the problem has been eradicated
Computerworld - Starbucks late Thursday (Jan. 16) posted a new version of its iOS mobile-payment app, one that the company says fixes the password-in-plain-text situation that I reported on Wednesday (Jan. 15). I have been unable to verify as yet whether the new version does indeed halt the key problems with the earlier version, which also disclosed in clear text account name, email address and geolocation details.
Daniel Wood, the security researcher who first discovered the holes -- and who, at Computerworld's request late on Tuesday, reran the tests after Starbucks said it had imposed additional security protections -- said today that he is "almost 100% certain" that the clear-text password problem is gone. "The file that was containing that data is no longer storing that data," he said, adding that he is still "checking to see if [the sensitive data] is trapped somewhere else." The passwords and related info are now saved in Apple's encrypted keychain, Wood said.
It should be pointed out, though, that Wood is no longer the independent security researcher that he was two days ago, since Starbucks has now brought him on as a security consultant, along with the standard nondisclosure agreement. Wood said it is, at this time, an unpaid role.
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at email@example.com and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.
More by Evan Schuman
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Evan Schuman: Transparency about data retention requires knowing what you have
- Evan Schuman: Your data exposed -- Delta, Facebook, others latest to fall into mobile app trap
- Evan Schuman: Get ready, IT; here comes the Internet of Things
- Evan Schuman: Bluetooth bras and bumping bozos
- Evan Schuman: App testing and sins of omission
- Evan Schuman: Fear of Glass
- Evan Schuman: Hijacked by social media
- Evan Schuman: Starbucks sat on its clear-text password problem for months
- Evan Schuman: Starbucks releases security fix for mobile app
Read more about Mobile Payments in Computerworld's Mobile Payments Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Mobile Payments White Papers | Webcasts