Starbucks' iOS app storing user credentials in plain text

By | 21:37 Leave a Comment

Watch out, coffee drinkers. If you are one of those 10 million Starbucks customers, who purchases drinks and food directly from their Smartphones, this news is for you!

If you use Starbucks’ official iOS app, you should know that the company is not encrypting any of your information, including your password.

The app allows the Starbucks customers to check their balance, transaction history, fund transfer, and store location, etc.

A Security researcher Daniel E. Wood found a vulnerability (CVE-2014-0647) in STARTBUCKS v2.6.1. iOS mobile application, that stores your credential details and GPS locations in plain text format into the file system.

To extract the information from the mobile, an attacker just needs to connect the device to a computer and accessing 'session.clslog' file from the location given below:
/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog
The vulnerability, however, requires that the hacker has physical access to your phone, but a successful hack would grant the hacker access to the customer’s money on the account.

If you are using your email password as the same Starbucks account password, please change it on first priority.

Without wasting time Starbucks issued a statement accepting the vulnerability in its mobile application, “We are aware” of the problem and that security measures have been taken to ensure that “usernames and passwords are safe.”.

"We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised." and asking its customers to report any theft or fraud occurred due to this vulnerability.

These kinds of vulnerability are caused because of novice development practices and lack of black box testing of the product developed. Companies should invest an extra bit for securing their applications which are directly linked to finance and users' personal data.

Mobile users are recommended to use strong device PINs, of over four characters and using both letters and numbers to protect data from such flaw.
Newer Post Older Post Home

0 comments: