As promised, we have released an updated version of Starbucks Mobile App for iOS which adds extra layers of protection. We encourage customers to download the update as an additional safeguard measure.
The security bug was the result of excessive and insecure logging being performed by the app, which in some cases included saving passwords in cleartext. The problem came to light when security researcher Daniel Wood published his discovery to the Full Disclosure mailing list earlier this week.
The App Store release notes only list "additional performance enhancements and safeguards" for changes, but it looks like Starbucks has disabled the additional logging that was taking place by Crashlytics. Prior to the fix, the app was logging a large amount of debug data to a file called session.clslog. On certain user interactions, such as signing up for a new account, user details including usernames, passwords, emails, addresses and OAuth tokens were being logged to this file. This meant that if somebody were to gain access to your unlocked phone, they could use software to access that file and potentially obtain sensitive information.
With the update, all of the debug logging appears to have been disabled. While the old session.clslog file still originally appeared for iMore after the update, after restarting the Starbucks app the file was cleared out and left empty. After performing a number of actions in the app, such as signing out, signing in, failed login attempts, and creating a new user account, the session.clslog file remained completely empty. We've reached out to Mr. Wood for comment, but for now it appears that Starbucks has addressed all of the previously discovered issues. If you haven't already, be sure to grab the update.
Extra Credit: If you're interested in validating the fix for yourself, you can use a tool like PhoneView or iExplorer to check the Starbucks app for this file:
Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog. After updating and running the app, this file should be 0 bytes and look empty if you open it in any text editor.
Update: Daniel Wood, the researcher who originally brought this issue to light, has now posted a follow-up confirming that the 2.6.2 update addresses the previous logging issues. You can read his full report over on the Full Disclosure mailing list.
We may earn a commission for purchases using our links. Learn more.
Apple Card users can see their annual spending with iOS 14.2 beta 2
Apple Card users with iOS 14.2 beta 2 installed have noticed that they can now see their annual spending for the first time.
You can use a Wii Nunchuck to play iPhone games. But you shouldn't.
The sheer number of things that you can plug into an iPhone will never cease to amaze. But did you ever expect someone to play iPhone games with a Wii Nunchuck?
Epic 'does not dispute' breaking App Store rules in latest filing
In a response to Apple's counterclaim against Epic Games over breach of contract, Epic Games has admitted its payment solution was prohibited by its contractual agreement with Apple, but denies its refusal to go along with Apple's "anti-competitive scheme" was wrong.
These HomeKit cameras work with iOS14's Face Recognition and Activity Zones
iOS 14 brings some powerful new capabilities to HomeKit Secure Video-enabled cameras like Face Recognition and Activity Zones. Here's all of the cameras and doorbells that support the latest and greatest HomeKit features.