As promised, we have released an updated version of Starbucks Mobile App for iOS which adds extra layers of protection. We encourage customers to download the update as an additional safeguard measure.
The security bug was the result of excessive and insecure logging being performed by the app, which in some cases included saving passwords in cleartext. The problem came to light when security researcher Daniel Wood published his discovery to the Full Disclosure mailing list earlier this week.
The App Store release notes only list "additional performance enhancements and safeguards" for changes, but it looks like Starbucks has disabled the additional logging that was taking place by Crashlytics. Prior to the fix, the app was logging a large amount of debug data to a file called session.clslog. On certain user interactions, such as signing up for a new account, user details including usernames, passwords, emails, addresses and OAuth tokens were being logged to this file. This meant that if somebody were to gain access to your unlocked phone, they could use software to access that file and potentially obtain sensitive information.
With the update, all of the debug logging appears to have been disabled. While the old session.clslog file still originally appeared for iMore after the update, after restarting the Starbucks app the file was cleared out and left empty. After performing a number of actions in the app, such as signing out, signing in, failed login attempts, and creating a new user account, the session.clslog file remained completely empty. We've reached out to Mr. Wood for comment, but for now it appears that Starbucks has addressed all of the previously discovered issues. If you haven't already, be sure to grab the update.
Extra Credit: If you're interested in validating the fix for yourself, you can use a tool like PhoneView or iExplorer to check the Starbucks app for this file:
Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog. After updating and running the app, this file should be 0 bytes and look empty if you open it in any text editor.
Update: Daniel Wood, the researcher who originally brought this issue to light, has now posted a follow-up confirming that the 2.6.2 update addresses the previous logging issues. You can read his full report over on the Full Disclosure mailing list.
We may earn a commission for purchases using our links. Learn more.
Let's talk iOS 14 public betas, AirPods, and technostalgia
It's been a busy week with Apple releasing public betas for iOS 14, iPadOS 14, and tvOS 14. We also talk about the AirPods design rumors and more.
Cast and crew of 'Greyhound' take viewers behind the scenes in new clip
Tom Hanks, as well as the cast and crew of 'Greyhound', talk about the film and how nail-biting the Battle of the Atlantic really was.
C.J.'s next Fishing Tourney will be in July
There are four Fishing Tourneys each year in Animal Crossing: New Horizons. Here's when they are and what the rules are for participating.
If you have run an Airbnb, you might need one of these smart locks
These smart locks provide both convenience and security for you and your guests at your Airbnb rental. Make managing things easier by assigning codes and app access with the best smart locks around.