Earlier this week, security researcher Daniel Wood disclosed his findings on Starbucks' insecure handling of sensitive user information in their iPhone app. The sensitive information discovered includes usernames, passwords, emails, addresses, location data, and OAuth keys. While Wood's findings are valid, the interpretations of his findings have been inaccurate and exaggerated.
The Starbucks iPhone app, like many iOS apps, includes a crash reporting framework: Crashlytics. In addition to crash reports, Crashlytics is also able to provide custom logging and reporting for mobile apps. The issue that Wood uncovered is the Starbucks app is far too liberal in what information gets logged. Developers can choose to have certain events result in corresponding debug information being logged. For instance, if a request made to a server results in an error, the developer could have information pertaining to that error recorded, and then sent back to them in a log by Crashlytics.
In the case of the Starbucks app, the application is logging information that it shouldn't, like users' passwords. When a user signs up for a new account through the Starbucks app, all of the information for creating this account – email address, username, password, birthday, and mailing address – is temporarily logged to a file in the app. Wood also noted that a user's geolocation can get logged if they use the store finding feature of the app. Certainly sensitive information should be stored and transmitted securely by apps, but what is the actual risk to users here?
First of all, because the information is being stored in a temporary log, the window during which users are exposed will vary. It's an important distinction to make that Starbucks is not persistently storing user credentials in cleartext in the app, but instead they are temporarily getting logged after certain events. When I initially checked my logs, my password was nowhere to be found. The only time I was able to get my password to appear was if I signed out of the app and went through signing up with a new account.
Additionally, for users who set a passcode on their device, the risk is lowered. The first time an iOS device is plugged in to a computer, the device has to be unlocked before the computer can read any data from the device's filesystem. This means if you drop your phone on the street, then some stranger finds it, takes it home, and plugs it into their computer, they won't be able to view these logs unless they figure out your passcode, or they jailbreak your device. While not impossible, it's unlikely that a vulnerability like this will result in a rash of iPhone thefts by caffeine-crazed criminals looking to get access to your Starbucks cards.
According to Wood's disclosure, he originally reported the bug to Starbucks last month, but didn't receive a response from them. Computerworld reported that Starbucks executives responded saying the security issues have been addressed, however both Wood and iMore have confirmed that, at least in some circumstances, users' passwords can still be logged in clear text. Although iMore was unable to confirm that a user's password is logged when a user logs in, we did observe that unsuccessful login attempts result in the attempted username and password being logged (which still isn't desirable). Successfully logging in did not appear to result in the username and password showing up in the Crashlytics log.
Contrary to some reports, this bug shows no indication of being the result of convenience trumping security, or developers insecurely saving a user's credentials to automatically log them in when they use the app. The Starbucks app appears to generate an OAuth token on login, which is then securely stored in the device's keychain; following best practices for mobile security. Unfortunately the oversight in logging currently undermines that security. This serves as a reminder to users on the importance of using unique passwords for each service they use, as well as a reminder to developers how a single bug or oversight can undermine an otherwise sound implementation.
When reached for comment, Starbucks was unable to give any specifics about the bug or any potential response to it, but did have this to say:
Update: Starbucks's CIO has issued the following statement:
Your security is incredibly important to us. This week a research report identified theoretical vulnerabilities associated with the Starbucks Mobile App for iOS in the event a customer’s iPhone were to be physically stolen and hacked.
We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.
Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.
We appreciate your business and believe it is our job to earn your trust as a customer. We also know that constant vigilance is the best way to protect you and the information you share with us. If you think your information may have been compromised for any reason, please contact our Customer Care team at 1-800-23-LATTE or at www.starbucks.com/customer.
Starbucks chief information officer
Update: Starbucks has released an update that addresses the issue.
Get the best of iMore in in your inbox, every day!
The first thing you need to know is that you're paying to much for coffee.
First thing you need to know is that it's none of your business how much anybody pays for anything.
Also, "too much" as in "too much"...
true. But most people are paying too much for everything from gas to healthcare to video games. You're paying for halfway decent customers service and for them to give you all kinds of free shit. And a relatively consistent product. At least i am. My Starbucks and i regularly go to 3, all know me by name and give me free drinks unsolicited and treat me very well.
This guy ^ he understands. We all pay too much for almost everything. go get your coffee at the dollar store if that's what you like.. stfu.. I enjoy Starbucks and the app.. you don't like it? You don't have to.
+1 Posted via the Android iMore App on BlackBerry Z30
Good to see they are working on a fix for this. Great story! Sent from the iMore App
C'mon people! Please make sure that the security of the users are a priority. We've been hearing a lot of these news lately so to the developers, don't wait 'til your users' information have been compromised before you act. I know this may not be an easy task but it is a very important one.
As a developer, I can attest to the siren call of overly-ambitious debug logging.
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.