Starbucks fixes password-related flaw in its iOS app
Posted on 20 January 2014.
If you have followed last week's hullabaloo about the Starbucks iOS app found storing passwords and location coordinates in clear text, and you have been worried about your information being compromised, update the app and worry no more.

Starbucks said it has fixed the issue in the new version (2.6.2) of the iOS app and, according to Daniel Wood, the researcher that initially discovered the security flaw, the issue is now resolved.

The app does not longer store the Starbucks account password in plaintext (the password is now saved in Apple's encrypted keychain), and records only the coordinates of the last location where a customer has used their device.

"As such, I do not believe this file is a security concern as it does not aggregate geolocation data over time," he noted in an email sent to the Full Disclosure mailing list. "Your stored geolocation is overwritten each time and cannot be used to track your movement patterns over time."

He also added that the flaw was not as serious as media made it out to be.

"During the initial testing of the application, at no point was there credit card data contained within this file, only your Starbucks Card number and balance amount. At no point were Starbucks's data servers compromised, exposing their 10 million customers to the application as some reports have suggested. This was a local exploitable vulnerability on a users device, not a remotely exploitable vulnerability on their servers or any other type of remote code execution vulnerability."

As a side note: Wood says that he has been "in continuous communication with Starbucks" while the company was working on fixing the flaw. According to Evan Schuman, Wood has been temporarily retained by the company as a security consultant (albeit unpaid for the time being).









Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //