Thursday, January 16, 2014

Starbucks App Stores Passwords in Clear Text

Evan Schuman (via Sean Hollister):

The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.

Update (2014-01-17): Nick Arnott:

The Starbucks iPhone app, like many iOS apps, includes a crash reporting framework: Crashlytics. In addition to crash reports, Crashlytics is also able to provide custom logging and reporting for mobile apps. The issue that Wood uncovered is the Starbucks app is far too liberal in what information gets logged. Developers can choose to have certain events result in corresponding debug information being logged. For instance, if a request made to a server results in an error, the developer could have information pertaining to that error recorded, and then sent back to them in a log by Crashlytics.

In the case of the Starbucks app, the application is logging information that it shouldn't, like users' passwords. When a user signs up for a new account through the Starbucks app, all of the information for creating this account – email address, username, password, birthday, and mailing address – is temporarily logged to a file in the app.

Also, the app has now been updated:

With the update, all of the debug logging appears to have been disabled. While the old session.clslog file still originally appeared for iMore after the update, after restarting the Starbucks app the file was cleared out and left empty. After performing a number of actions in the app, such as signing out, signing in, failed login attempts, and creating a new user account, the session.clslog file remained completely empty.

3 Comments

> Although it is certain that Starbucks' policies permitted the clear text, the file that displayed is actually part of a capture done by a third-party crash analysis app from a company called Crashlytics, which was purchased by Twitter last year. Neither Crashlytics nor Twitter returned emails and voicemail messages seeking comment.

So did they not use the keychain, or did they log the password in their logs/crashes somehow?

@Johan Maybe it’s logging what they send over the network?

Looks like all that info is now safely stored on Twitter's servers... http://www.zdnet.com/the-starbucks-bug-not-as-awful-as-reported-7000025269/

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment