A security researcher has discovered that Starbuck’s iOS mobile application stores users’ usernames, email address and passwords in clear text, and has tried to share this discovery with the company for months.
However, after repeatedly being transferred to customer service, Daniel Wood decided to go public with his discovery on the Full Disclosure mailing list on Monday.
“Username, email address, and password elements are being stored in clear-text in the session.clslog Crashlytics log file,” he explained. “Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at https://www.starbucks.com/account/signin. It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service.”
The danger lies mostly in the fact that the app is used to perform purchases at Starbuck, and some users enable the auto-replenish option, which makes the app able to access the users’ bank account and transfer money from it to their Starbucks account.
A thief who steals a user’s iPhone or a friend who borrows it and knows what to do and what tool to use can easily access the aforementioned file even if the phone is locked, Wood told Evan Schuman. With the username / password combination, he can empty the victim’s Starbucks account either via the app (if he guesses the PIN) or via the Starbucks website.
Another, more serious problem may arise if the victim uses the same login credentials for more important accounts.
Since the public release of the information regarding this security flaw, Starbucks executives confirmed that they knew about its existence, and that they have implemented adequate security measures to fix the flaw.
They didn’t specify what kind of measures put into effect, but Wood says that the flaw is still present in the latest version of the app. This time he also noticed that a geolocation history file also contains information in clear text – information that can be used to discover the victim’s movements.
In his post on the Full Disclosure list, Wood offered advice on how to mitigate the problem, and has also shared a list of iOS specific best practices regarding data storage that app developers should implement. But only time can tell if Starbucks will listen.