The folks over at CNBC posted a story today about Starbucks wherein their app for the iPhone apparently stores the username, email address and password in clear text.
Ouch! That'll knock the foam off your triple shot cafe whatever you call it in a heart beat.
From Full Disclosure:
Title: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application Published: January 13, 2014 Reported to Vendor: December 2013 (no direct response) CVE Reference: CVE-2014-0647 Credit: This issue was discovered by Daniel E. Wood <a href="http://www.linkedin.com/in/danielewood" rel="nofollow" style="text-decoration: none; color: rgb(119, 78, 189);">http://www.linkedin.com/in/danielewood</a> Product: Starbucks iOS mobile application Version: 2.6.1 (May 02, 2013) Vendor: Starbucks Coffee Company URL: <a href="https://itunes.apple.com/us/app/starbucks/id331177714" rel="nofollow" style="text-decoration: none; color: rgb(119, 78, 189);">https://itunes.apple.com/us/app/starbucks/id331177714</a> Issue: Username, email address, and password elements are being stored in clear-text in the session.clslog crashlytics log file.
So, not an overly hard issue to fix at least. The part that caught my attention was their reaction to the issue.
Starbucks said that though the report is "technically accurate ... unauthorized access to this information is safeguarded."
"Our customers' security is of the utmost importance to us, and we actively monitor for risks and vulnerabilities. While we are aware of this report, there is no known impact to our customers," said Starbucks spokesperson Linda Mills.
Safeguarded how exactly?
What struck me was that there was no mention as of this writing on their social media sites or in email.
Example from Twitter:
Apparently there was no alerting of their customers to issue yet. OK, fair enough. Maybe that's in process. It would be a nice courtesy for their customers, like me.
What about their next steps?
"To further mitigate our customers' potential risk from these theoretical vulnerabilities," she added, "Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way."
Transmitted? The information was being stored in cleared text. This is data at rest not in transit. There seems to be a fundamental lack of understanding here to say nothing of the awkward attempt to detract from the risk by calling them out as "theoretical vulnerabilities".
Not to be one to cry over spilled milk...or coffee I guess, I hope they spend more effort on the fix for this problem than they did on their spokesperson's prep time.
[UPDATE]: Starbucks issued an app update later on Thursday with a rather vague release note.
(Image used under CC from Smithcam)