Reports emerged earlier this week that the Starbucks’ iOS mobile application could be exposing the personal information of any customers that downloaded it. To their immense credit – especially considering that they are not a technology company – Starbucks issued an update resolving the vulnerability in their app late yesterday.
Of course, Starbucks isn’t suffering from a shortage of money by any means, but the vulnerability was reported sometime in December and fixed in January, which is respectable as far as security fixes are concerned. Vulnerability disclosures and resolution often involves vendor denials, knit-picking, convolution, and months and months before anything get resolved.
So, first and foremost: if you have downloaded the Starbucks mobile application on your iPhone, iPad, or other iDevice, then you should mosey on over to the App Store and install the update as soon as possible.
I’ll spare you most of the terrible technical details, but the vulnerability existed in what was – until 16 January – the most recent build of the application: version 2.6.1 for iOS. As I have made clear, the company has since fixed the vulnerability by releasing version 2.6.2, which – again – you can find in the Apple App Store.
Anyone that hasn’t applied the update could potentially be exposing a range of sensitive information, including their full name, address and device ID, as well as various geolocation data as well, according to a report written by Threatpost’s Chris Brook.
The coffee giant’s application was storing all of this information in plain, not encrypted text in a log file included as part of a third-party, crash-protection solution developed by a Boston company called Crashlytics.
Daniel Wood, the researcher that found the bug and a member of the Open Web Application Security Project (OWASP), basically blamed the vulnerability on Starbucks’ failure to follow best practices for application security.
Specifically, Wood said Starbucks should filter and sanitise data upon output “to prevent these data elements from being stored in the Crashlytics log files in clear text, if at all.”
Crashlytics develops crash reporting solutions for mobile application makers. Starbucks appears to have used this company’s technology in their application, though they may have implemented incorrectly, at least in part.
Crashlytics Cofounder Wayne Chang told Threatpost’s Chris Brook via email that the issue appears to involve one of the service’s plaintext logging features. He would go on to tell Threatpost that Crashlytics doesn’t collect usernames or passwords automatically. The feature, CLSLog, is an “optional feature that developers can use to log additional information.”
In case you were curious, the Starbucks app gives customers the ability to connect their Starbucks card to their smartphone, replenishing funds via Paypal or credit card, and allowing them to use their smartphone as a mobile payment mechanism at Starbucks locations around the globe.