Wednesday, January 15, 2014

The Starbucks iOS mobile app stores geolocation data, credentials in clear text

The Starbucks mobile app is the most used mobile-payment app in the U.S., but the iOS version has two big problems, and Starbucks executives confirmed them late Tuesday, as Computerworld reported.

The first issue is that the app stores the password on the device. That wouldn't be an issue, if it wasn't for the fact that the password is stored in plain text. The second issue is that the app also stores geolocation data for the user.

The issues were first posted by Daniel Wood, a Minneapolis-based security researcher and pen (penetration) tester, at’s Full Disclosure site. There, he said:
Issue: Username, email address, and password elements are being stored in clear-text in the session.clslog crashlytics log file.
Location: /Library/Caches/

Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service.
To be clear, the file in question is actually part of a log by a third-party crash analysis app from Crashlytics, which was purchased by Twitter last year.

Wood said he tried contacting Starbucks in mid-November of last year. After being stymied in terms of getting an adequate response from the company (he said he was repeatedly transferred to customer service during the following two months), he decided to go live with some of his research.

Starbucks said:
Our customers’ security is of the utmost importance to us, and we actively monitor for risks and vulnerabilities. While we are aware of the theoretical vulnerabilities outlined in this report, there is no known impact to our customers at this time. To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way.
It is unclear what these additional steps are. The iOS app has not been updated since May of 2013.

According to Wood, the data can be retrieved from a phone without knowledge of a user's device password, by connecting the device to a PC and using the same tools Wood did. Jailbreaking is not required, either.

It's unclear why the data is stored in clear text. As Computerworld says, however, although the data is stored in the log file of a different third-party app, "it is certain that Starbucks' policies permitted the clear text."

No comments: