Starbucks has reacted to the news that its iOS mobile app stores passwords and other personal details in easily-extracted cleartext, updating the app to address the security flaws, though insisting that there have been no reported cases of actual exploits so far. The Starbucks iOS app was found to save each user’s password, username, and email address, along with geolocation tracking data as unencrypted text, a huge potential security hazard that the coffee company now says it’s patching.
Exactly what it’s doing to address those shortcomings isn’t explained, though it’s going to be a two-stage process. First there are new “safeguards” which the company says it has already implemented to protect information – Starbucks says that to “protect the integrity of these added measures” it won’t be detailing what it did – while a new app version is in the pipeline.
Its release is being accelerated, and will “add extra layers of protection”, again unspecified. The app will be “ready soon” Starbucks promises.
“There is no indication that any customer has been impacted by this” Starbucks chief information officer Cut Garner maintains, “or that any information has been compromised.” The CIO also insists that the company takes such security flaws seriously, though security researcher Daniel Wood who first spotted the issue claims that he notified Starbucks back in November 2013, but received no response.
Starbucks’ motivation with its original coding decision is believed to have been convenience. By saving the account details in cleartext, it could allow the user to log in only once but make several purchases, rather than demanding a time-consuming password each time.
Unfortunately, should the iOS device fall into the hands of someone with a little coding experience, they could readily extract the information from the phone. That would give them not only a username and password – which might be shared with other online services – but a list of where the Starbucks customer had been.