10 million Starbucks customers at risk for official iOS app flaw

Security researcher Daniel E. Wood discovered a vulnerability in the Starbucks official iOS app related to the insecure storage of user data.

10 million Starbucks customers who purchases drinks and food using their Smartphones are exposed to serious risk of data breach.

This is yet another story in which a poor implementation of minimum security requirements could have an impact on the end user and it digital identity, just as happened in the Snapchat case.

The official Starbucks iOS app doesn’t encrypting user’s data, including your password. The Starbucks app is usable by the customers to pay products of the popular Coffee Company, and to perform usual operations available on a banking account such as control the balance, fund transfer and check transaction history.

The Security researcher Daniel E. Wood discovered the vulnerability (CVE-2014-0647) in STARTBUCKS v2.6.1. iOS application, he revealed that the app stores user’s credential details and GPS data in plain text in the following file:

/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog

Once know the location is quite easy for an attacker, that has physical access to the handset, to retrieve the user’s information accessing ‘session.clslog‘ file. The attacker once accessed with the file could gain access to the customer’s amount of money available on the Starbucks account.

As usual the hack could cause further problem to the clients of Starbucks that used the app if they share same credential on different web services, the recommendation for who made purchases is to change it immediately and adopting a different username and password for every service

If you are using your email password as the same Starbucks account password, please change it on first priority.Starbucks has promptly managed the incident, issuing an official statement to inform the clients and a successily providing an advisory to publicize the availability for an app update.

“UPDATE (January 16, 2014 09:00 PM P.S.T.): As promised, we have released an updated version of Starbucks Mobile App for iOS which adds extra layers of protection. We encourage customers to download the update as an additional safeguard measure. Read a letter from Curt Garner, Starbucks chief information officer, regarding customer information and Starbucks Mobile App for iOS”

The company remarked that there is no evidence that its customers have been impacted, but let me suggest you to follow the above suggestions.

“We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised.” the company is asking to its customers to report any suspicious activity or fraud occurred.

It’s time to consider seriously the security of mobile apps, such flaws represent a serious threat to a user’s security and privacy, the situation is particularly alarming for mobile banking, a sector considered privileged by cybercriminals.

Not different is the situation for use of mobile application in workspace, a growing number of application are developed also by enterprise for internal use, also in this case security is a must and could expose the company to risk of cyber attack.

Back to the Starbucks app …  also enjoy a cup of coffee could be dangerous, inNaples we say:
“Excuse me, coffee makes me nervous”

Pierluigi Paganini

(Security Affairs –  Starbucks, hacking)