Starbucks Acknowledges App Security Flaw, But the Vulnerability Persists For Now
Beware, fans of Starbucks and fans of paying for coffee with your smartphone! A big problem has been discovered relating to how the Starbucks mobile app processes its data, and while Starbucks is working to fix the app, users aren't in the clear yet.
ComputerWorld's Evan Schuman related the Starbucks mobile app's vulnerabilities in an expose on Wednesday, after security researcher Daniel Wood published his research the day before, which reveals that the Starbucks mobile payment app -- which happens to be the most popular mobile payment system in the U.S. -- was exposing iOS users' personal data to potential theft.
The problem stemmed from the software that the Starbucks iOS app uses to analyze and log software crashes for developers to fix bugs. The crash analytic software, called Crashlytics, was logging user information like passwords, usernames, email addresses, and some location data in clear text.
Anyone with access to an iPhone with the Starbucks app could find the user data stored in the session.clslog file by connecting it to a computer -- no jailbreaking or other hacking necessary. Schuman called it "a treasure trove of security and privacy gems for anyone who steals the phone," or for any nefarious person who happens to have a laptop on hand and find a misplaced iPhone in, say, a Starbucks.
Part of the problem is the design of the Starbucks app, which is so popular due, in part, to the ease of paying with your smartphone. Lots of payment apps require a password to be entered every time you want to spend or add money, but Starbucks chose to store the password on the phone so customers could buy their lattes without having to key in their username/password every time. The only time the Starbucks app requires a password is when adding money to the user's account.
"A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud," said Charlie Wiggs, general manager and senior vice president for U.S. markets at mobile vendor Mozido to ComputerWorld. "Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn't overexpose their consumers and their brand."
Starbucks addressed the issue on Thursday, saying that the company has "added several safeguards to protect the information" customers share with it. It also said that "out of an abundance of caution," Starbucks would "accelerate the deployment of an update for the app that will add extra layers of protection," which they expect to be ready "soon."
However, Starbucks mostly played off the dangers, calling the vulnerabilities "theoretical" and saying that "there is no indication that any customer has been impacted ... or that any information has been compromised." When pressed about whether the clear text logging problem for the iOS app had been fixed, though, a Starbucks spokesperson said "a theoretical vulnerability still exists."
Starbucks' less than open response to the problem, and its downplaying of the hacking vulnerability as "theoretical," mirrors Snapchat's recent response to a potential security flaw in their app - a response that confidently ignored the problem until hackers actually used the security flaw to post massive amounts of user data on the web. So iPhone Starbucks customers, be extra careful about leaving your phone around a Starbucks until the app update is released and scrutinized.