Starbucks addresses security snafu with update to iOS app

Responding to a recent security bug, Starbucks released an update to their iPhone app addressing the issue late last night. Starbucks said in an update on their blog:

As promised, we have released an updated version of Starbucks Mobile App for iOS which adds extra layers of protection. We encourage customers to download the update as an additional safeguard measure.

The security bug was the result of excessive and insecure logging being performed by the app, which in some cases included saving passwords in cleartext. The problem came to light when security researcher Daniel Wood published his discovery to the Full Disclosure mailing list earlier this week.

The App Store release notes only list "additional performance enhancements and safeguards" for changes, but it looks like Starbucks has disabled the additional logging that was taking place by Crashlytics. Prior to the fix, the app was logging a large amount of debug data to a file called session.clslog. On certain user interactions, such as signing up for a new account, user details including usernames, passwords, emails, addresses and OAuth tokens were being logged to this file. This meant that if somebody were to gain access to your unlocked phone, they could use software to access that file and potentially obtain sensitive information.

With the update, all of the debug logging appears to have been disabled. While the old session.clslog file still originally appeared for iMore after the update, after restarting the Starbucks app the file was cleared out and left empty. After performing a number of actions in the app, such as signing out, signing in, failed login attempts, and creating a new user account, the session.clslog file remained completely empty. We've reached out to Mr. Wood for comment, but for now it appears that Starbucks has addressed all of the previously discovered issues. If you haven't already, be sure to grab the update.

Extra Credit: If you're interested in validating the fix for yourself, you can use a tool like PhoneView or iExplorer to check the Starbucks app for this file: Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog. After updating and running the app, this file should be 0 bytes and look empty if you open it in any text editor.

Update: Daniel Wood, the researcher who originally brought this issue to light, has now posted a follow-up confirming that the 2.6.2 update addresses the previous logging issues. You can read his full report over on the Full Disclosure mailing list.

Nick Arnott

Security editor, breaker of things, and caffeine savant. QA at Double Encore. Writes on neglectedpotential.com about QA & security, and as @noir on Twitter about nothing in particular.

More Posts

 

7
loading...
17
loading...
62
loading...
0
loading...

← Previously

Apple CEO Tim Cook handing out autographed iPhones at China Mobile launch

Next up →

The best smartwatches your money can buy right now

There are 6 comments. Add yours.

asuperstarr says:

This is great ! I'm glad they updated this app!

Sent from the iMore App

nyc_rock says:

Glad they addressed this issue but Starbucks, seriously, get your app IO7 updated. You guys are way behind.

CK#CB says:

+1
i'm with you....i appreciate the security fix but would love to have a full ios7 update....

Sent from the iMore App

zdn1042 says:

Nice to hear that they already updated the app to fix its security issue.

lfeuln says:

I think the Starbucks Canada app is separate from the US - anyone know if it was similarly affected as well? (Despite my avatar haven't been recently)

worknman says:

This might seem elementary, but how do you access program files on iOS without jailbreaking?