Evan Schuman: Starbucks sat on its clear-text password problem for months
The company is dancing around the question of what it knew and when it knew it, but the security problem was not a revelation for it this week
Computerworld - When Starbucks published the new version of its iOS mobile app yesterday to fix its passwords-in-clear-text problem, it demonstrated a seemingly awesome ability to correct a serious security issue in a single day.
But was it truly awesome? Not if it knew about the security hole for months. Not if it knew about it before it published the prior iOS app update back on May 2, 2013.
According to a key source involved in the process, Starbucks knew about the clear-text password problem before the May release, but issued the release anyway. The hole was never intended, the source said, but came about inadvertently due to the way the data was prepared to capture crash information. The problem was discovered during pre-launch testing, but not fixed. So Starbucks was aware of the problem for almost nine months before it finally addressed it, and that's a key reason it was able to patch things so quickly.
Starbucks' official line is that it knew something before the May update, but it is not admitting that it knew specifically that passwords appeared in clear text until security researcher Daniel Wood published his report earlier this week. "We were aware that crash logging was collecting the information when we launched [in May 2013]. However, we were not aware that in certain circumstances Starbucks account name and password were visible in that logging," said Starbucks spokesperson Linda Mills today. "When we became aware of this potential vulnerability through Daniel's report, we worked quickly to address it, and thus were able to release an update to the app last night."
When asked when Starbucks learned that passwords were in clear text, Mills said it was at 8 p.m. EST on Tuesday, Jan. 14, when I interviewed two senior Starbucks executives, CIO Curt Garner and Chief Digital Officer Adam Brotman. That seems unlikely, though, given that Wood's report was published on the morning of Jan. 13 and that I sent Starbucks a copy of that report early on Jan. 14.
Mills then said that "Curt and Adam were under the impression the data was only logged for crashes up until our conversation. And a fix was already under way for that. As soon as you sent me the report, the team immediately started to look into it, but we did not have confirmation. After our conversation with you, the team swiftly worked to accelerate an update."
Given that both execs explicitly said in the Jan. 14 interview that they had known about the clear-text password problem "for some time," it seems likely that the new information from the Woods report was that the holes had been discovered, not that they existed.
More by Evan Schuman
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Evan Schuman: Transparency about data retention requires knowing what you have
- Evan Schuman: Your data exposed -- Delta, Facebook, others latest to fall into mobile app trap
- Evan Schuman: Get ready, IT; here comes the Internet of Things
- Evan Schuman: Bluetooth bras and bumping bozos
- Evan Schuman: App testing and sins of omission
- Evan Schuman: Fear of Glass
- Evan Schuman: Hijacked by social media
- Evan Schuman: Starbucks sat on its clear-text password problem for months
- Evan Schuman: Starbucks releases security fix for mobile app
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts