Starbucks fixes iOS app bugs

Summary:A new version has been released which no longer writes the user's personal information to a file that can be accessed by others who have the phone.

starbucks.logo

In response to the  reports that their iOS app was writing the user's username and password in clear text to the device , Starbucks has released a new version — 2.6.2 — of that app.

Daniel Wood, the security researcher who found and reported the bug, has analyzed the new version and says that the major security problems in it that he reported have been fixed. He does have one recommendation for the app, but it's not a major issue.

As both Wood and we noted, there has been much exaggerated reporting on this bug. Only the iOS version was ever vulnerable. The user's credit card information was never in the file or otherwise exposed, but the Starbucks card number and balance were. The Starbucks servers were never compromised. There was no vulnerability in the app that would allow an attacker to run malicious code. The vulnerability was not remotely-exploitable; an attacker would need physical access to the phone, and probably need to cable it to a computer to access the data.

Some reports described a PIN bypass method. This is a method for bypassing the Starbucks app PIN in order to get at the data, not a way to bypass the iOS PIN. All the PIN does is to prevent access to the application; it doesn't allow a user browsing the file system from accessing the file.

Our report also jumped to an incorrect conclusion: The app does not need to crash in order for a session.clslog file to be created. The Crashlytics code generated it automatically, prior to the new version, when the app was backgrounded, for example when the user pressed the lock button.

Wood also reports that the geolocation log file is still created, although the app no longer keeps a running list of coordinates, which would allow some tracking of the user's movements. In the new version the app stores only the last location where a customer has used their device. Wood recommends that Starbucks remove this from the file, but doesn't consider it a significant issue.

starbucks-app-620x423[1]

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.