Evan Schuman: Starbucks sat on its clear-text password problem for months

The company is dancing around the question of what it knew and when it knew it, but the security problem was not a revelation for it this week

When Starbucks published the new version of its iOS mobile app yesterday to fix its passwords-in-clear-text problem, it demonstrated a seemingly awesome ability to correct a serious security issue in a single day.

But was it truly awesome? Not if it knew about the security hole for months. Not if it knew about it before it published the prior iOS app update back on May 2, 2013.

According to a key source involved in the process, Starbucks knew about the clear-text password problem before the May release, but issued the release anyway. The hole was never intended, the source said, but came about inadvertently due to the way the data was prepared to capture crash information. The problem was discovered during pre-launch testing, but not fixed. So Starbucks was aware of the problem for almost nine months before it finally addressed it, and that's a key reason it was able to patch things so quickly.

Starbucks' official line is that it knew something before the May update, but it is not admitting that it knew specifically that passwords appeared in clear text until security researcher Daniel Wood published his report earlier this week. "We were aware that crash logging was collecting the information when we launched [in May 2013]. However, we were not aware that in certain circumstances Starbucks account name and password were visible in that logging," said Starbucks spokesperson Linda Mills today. "When we became aware of this potential vulnerability through Daniel's report, we worked quickly to address it, and thus were able to release an update to the app last night."

When asked when Starbucks learned that passwords were in clear text, Mills said it was at 8 p.m. EST on Tuesday, Jan. 14, when I interviewed two senior Starbucks executives, CIO Curt Garner and Chief Digital Officer Adam Brotman. That seems unlikely, though, given that Wood's report was published on the morning of Jan. 13 and that I sent Starbucks a copy of that report early on Jan. 14.

Mills then said that "Curt and Adam were under the impression the data was only logged for crashes up until our conversation. And a fix was already under way for that. As soon as you sent me the report, the team immediately started to look into it, but we did not have confirmation. After our conversation with you, the team swiftly worked to accelerate an update."

Given that both execs explicitly said in the Jan. 14 interview that they had known about the clear-text password problem "for some time," it seems likely that the new information from the Woods report was that the holes had been discovered, not that they existed.

This raises a troubling question: If Starbucks had the ability to fix this in one day, why the heck didn't it do that months ago? For that matter, why wasn't the May 2013 version fixed before it went live?

The tendency of many large firms is to do nothing about security holes that they've learned about until either a major breach happens (e.g., Target and Neiman Marcus) or the media discloses the problem to the public. The latter seems to be the case with Starbucks, and as a columnist, I'm obligated to beat them up for taking no action when they had to know that storing passwords in plain text is sloppy security practice. Of course, if Starbucks officials really did first learn about the problem on Wednesday and then fixed the hole in a day, that would be very impressive. But, as a columnist, I'd have to beat them up for not having known. We security columnists are really hard to keep happy.

But this is the way it looks: Starbucks' security testing did in fact reveal the hole back before May 2013. So it gets points for not being clueless. But Starbucks chose to let the May update be distributed to millions of iPhones and iPads anyway. That's a big minus.

The Starbucks situation raises another issue that also seems to plague many companies. Woods told me that he had tried to tell Starbucks about the password issue for nearly two months. Every time he tried, he was transferred to customer service, which had no idea what to do with the information.

If that prompts a haughty chuckle at the mocha maestro's expense, you might want to stifle it, because it's probably fair to conclude that similar communication holes exist within the vast majority of Fortune 1,000 companies. If someone called your call center today and wanted to report a security hole involving your mobile app or some major problem with your website, would the caller be routed to the mobile or e-commerce team or be shunted off to some never-monitored voicemail? Be honest now.

The heads of IT -- and online and mobile groups -- are typically much more concerned with avoiding calls than making sure the calls get through. They figure (correctly, for what it's worth) that almost all external calls are from customers (send them to customer service), potential employees (off to HR) or salespeople (send them very far away). Switchboard and call center employees are trained well where to send those people -- as well as us lowly members of the Fourth Estate, who are dispatched to media relations -- but people calling in with security or other timely and critical information for IT/mobile/online are ignored.

Let's say a page on your website has been taken over and is showing obscene images. If someone wants to contact you who can show your people the exact affected pages and offer suggestions as to the nature of the problem, is there a prominent link on your site to direct them to the right contact? If such a call comes in, will your people know to immediately put the call through to the relevant department and keep trying different people until someone answers?

This is where small companies have a huge advantage. Whoever answers the phone in a 40-employee company will likely know who handles what or at least who would know the best person to field the call. But in a company with 400,000 employees, it's a much harder task.

Suggestion: Why not send a memo to all of the people who answer these calls saying that if anyone says they have information about IT, mobile, security or the website, they should be put through? For every 50 nuisance calls that get through -- and those calls are generally easy to identify in fewer than 30 seconds -- there could be one with information that's vital to the company.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.

Copyright © 2014 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon