pic : starbucks.com
Security researcher Daniel E. Wood discovered that Starbucks IoS App stores username, email address and passwords in clear text(CVE-2014-0647) . Starbucks mobile payment apps are used widely by customers for its easiness to buy privileges. However this disclosure comes with a surprise because all the customer data gets stored in plain text and easily available for anyone having access to the device.
He tried reaching out to Starbucks multiple times but the company has never taken him seriously . Hence after Wood was turned down, he decided to publicly post on securelist on Monday. It’s a clear indication that large companies like Starbucks take customers lightly in the information age because they know they can get away with such complains easily. ( Disclosure: I am a big fan of Starbucks)
“A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud,” said Charlie Wiggs, general manager and senior vice president for U.S. markets at mobile vendor Mozido. “Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn’t overexpose their consumers and their brand.”
“Yes, it does surprise me,” said Gartner security analyst Avivah Litan. “I would have expected more out of Starbucks. At least they should have informed consumers.”
The location of the file : Location: /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog
“Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and
leveraged for unauthorized usage of a users account on the malicious users’ own device or online at
https://www.starbucks.com/account/signin. It contains the HTML of the mobile application page that performs the
account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth
signature for the users account/device to the Starbucks service.”
