The security bug was the result of excessive and insecure logging being performed by the app, which in some cases included saving passwords in cleartext. The problem came to light when security researcher Daniel Wood published his discovery to the Full Disclosure mailing list earlier this week.
The App Store release notes only list "additional performance enhancements and safeguards" for changes, but it looks like Starbucks has disabled the additional logging that was taking place by Crashlytics. Prior to the fix, the app was logging a large amount of debug data to a file called session.clslog. On certain user interactions, such as signing up for a new account, user details including usernames, passwords, emails, addresses and OAuth tokens were being logged to this file. This meant that if somebody were to gain access to your unlocked phone, they could use software to access that file and potentially obtain sensitive information.
With the update, all of the debug logging appears to have been disabled. While the old session.clslog file still originally appeared for iMore after the update, after restarting the Starbucks app the file was cleared out and left empty. After performing a number of actions in the app, such as signing out, signing in, failed login attempts, and creating a new user account, the session.clslog file remained completely empty. We've reached out to Mr. Wood for comment, but for now it appears that Starbucks has addressed all of the previously discovered issues. If you haven't already, be sure to grab the update.
- Download the update now (opens in new tab)
Extra Credit: If you're interested in validating the fix for yourself, you can use a tool like PhoneView or iExplorer to check the Starbucks app for this file:
Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog. After updating and running the app, this file should be 0 bytes and look empty if you open it in any text editor.
Update: Daniel Wood, the researcher who originally brought this issue to light, has now posted a follow-up confirming that the 2.6.2 update addresses the previous logging issues. You can read his full report over on the Full Disclosure mailing list.
This is great ! I'm glad they updated this app! Sent from the iMore App
Glad they addressed this issue but Starbucks, seriously, get your app IO7 updated. You guys are way behind.
i'm with you....i appreciate the security fix but would love to have a full ios7 update.... Sent from the iMore App
Nice to hear that they already updated the app to fix its security issue.
I think the Starbucks Canada app is separate from the US - anyone know if it was similarly affected as well? (Despite my avatar haven't been recently)
This might seem elementary, but how do you access program files on iOS without jailbreaking?
Get the best of iMore in in your inbox, every day!
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.