Starbucks Phone App Stores Password Unencrypted 137
JThaddeus writes "The Daily Caller reports a serious security flaw in the Starbucks phone app: 'Starbucks confirmed late Tuesday that anyone could access the unencrypted data stored on the official Starbucks app simply by connecting the phone to a computer – bypassing lock screen or PIN security features with no hacking or jailbreaking necessary.' The linked report is for iOS. No mention of Android, but do you think it is any different?" (Starbucks says they've addressed the problem.)
When will companies be held liable? (Score:5, Interesting)
When will companies be held liable for implementing incompetent security (or not implementing it all)?
The marketing weenies are all over getting the brand out, but don't give a shit about security.
Companies should be getting fined for crap like this. Between data beaches and gross incompetence at any form of security, trusting a marketing app is the height of stupid.
Re:When will companies be held liable? (Score:5, Insightful)
Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.
There is a case for negligence, but that requires that the negligent party be unreasonably incompetent, and at the moment, most companies with these kind of security problems are performing on par with most of America - the non-techies who don't understand security.
Re: (Score:3)
Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.
Have fun trying to sell that to your insurance company.
Re: (Score:2, Interesting)
I don't know where you live, but throughout most of the world content insurance covers theft.
Both break and enter as well as trespassing don't require the door to be locked. Theft doesn't depend on either of the above cases to be met (if your ladder sticks up over your fence, or your lawnmower is sitting on public land (an easement), or your door mat is sitting outside an apartment unit in a common space, theft is still "depriving someone of lawfully acquired property without the permission of the owner
Re: (Score:2)
However, that isn't really the end of the story is it? After a claim or two it isn't unheard of for an insurance company to drop a customer, or raise rates. It also isn't unheard of for Insurance companies to mandate their customers comply with standards higher than that of legal obligation.
Seems to me it would be perfectly legitimate for an insurance company which insures a company that is distributing software to take appropriate precautions commensurate with industry best practices or else void their pol
Re: (Score:2)
Re: (Score:2)
No, but they've been known to deny coverage if they can find any little thing which they can blame on you.
Insurance companies aren't exactly known for playing nice in a lot of cases.
Re: (Score:2)
Re: (Score:2)
Correct, but doing it in such a way as to imply that insurance companies care about legal liability, when in fact they only care about their own liability -- if they can get away with denying you coverage they will.
Even if 'technically' the legal liability was with whoever went into your unlocked house.
In other words, legal liability can be detached from what insurance companies are willing to accept, and being right on an abstract point is immaterial. ;-)
Re: (Score:2)
Re: (Score:2)
Insurance companies aren't exactly known for playing nice in a lot of cases.
Which is why "suing insurance companies" is the national sport of the American court system.
Re: (Score:2)
Of course they can kick you out. That doesn't change the fact that the theft or whatever happened while you were insured and thus they have to pay.
Re: (Score:3)
Oh, I don't know ... storing passwords in plain text sounds pretty unreasonably incompetent since we've known for 30+ years it's a stupid idea.
It's not like there should be anybody who doesn't know that yet. At least not anybody you should be trusting to write code.
Re: (Score:2)
There is a case for negligence
Not if there are no damages. I don't see anything about anyone losing money yet.
Re: (Score:1)
In Quebec, you can get a ticket for leaving your car doors unlocked in public parking lot. To be sure there's no place for discussion, they place the ticket on the dashboard and lock the doors on their way out.
Re: (Score:2)
Don't most cars unlock the door if you lock from inside first, and then close the door? Pretty sure at least the driver's door unlocks if you close it locked.
Duty of Care (Score:2)
Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.
Even if true (and I don't agree that it is) this is easily remedied through legislation making inadequate care of customer data illegal by statute (negligence per-se). Furthermore there there are a variety of duty of care torts under which a company could be legally charged including potentially fiduciary duty in some cases.
The fact that many companies are incompetent is not a sufficient excuse and should never be regarded as such.
Re: (Score:2)
There is a case for negligence, but that requires that the negligent party be unreasonably incompetent
It's 2014. Anyone who stores data unencrypted *IS* unreasonably incompetent.
Starbucks says they've addressed it - but unless they've fired everyone involved (including the managers), they really have not.
Re:When will companies be held liable? (Score:5, Insightful)
It's in the same category as leaving a house unlocked.
That analogy is incorrect. In a correct analogy, the locksmith installed a lock that he swore up and down would protect your home, you locked the door thinking you were fine, and then somebody came in and stole a bunch of things. And that would in fact make the locksmith liable, especially if there was a written guarantee on the lock and the locksmith's work (but even if not, there's the implied warranty of merchantability that says that he's still liable).
And as soon as you look at the case that way, Starbucks is being negligent, just like the locksmith was in our analogous scenario. The key factor here is that the victim of the crime is not the person who left themselves vulnerable to it through their own stupidity.
Re: (Score:1)
After some experience with the industry I have come to the conclusion that a lot (but not nearly enough) of the devs actually do know that the stuff they build is insecure. But usually it comes down to some situations:
"Meh, this is not really that important to spend so much time securing",
"My boss is on my ass to finish this fast" or "I have a deadline to meet",
"If I get this done really fast I will win some points with the boss and maybe get a good review",
"I do know I should encrypt this password, but I n
Re: (Score:2)
Re:When will companies be held liable? (Score:4, Interesting)
Inductive reasoning states never.
Look at historic security breaches in the past that resulted in massive data compromise. Most companies that were breached are back to their stock norms, or perhaps even higher [1] a few quarters after the incident. Couple this with the belief that security has no ROI...
I wouldn't expect anything to change anytime soon.
[1]: I remember being told by an MBA that all press is good press, so a security breach is still getting a company name in front of people's eyes/ears where they may never have gotten with normal advertising methods.
Re: (Score:1)
So this story means new people are hearing about Starbucks for the first time?
Re: (Score:3)
Re: (Score:2)
Marketing, and collecting consumer information. Exactly what most apps are for these days.
Sure, you might get a small discount now and then, but the treasure trove of marketing data is worth far more than that discount is.
Re: (Score:2)
So this story means new people are hearing about Starbucks for the first time?
Not necessarily for the first time. I wasn't thinking at all about coffee, but now there's an article about a big coffee vendor, so it comes to mind. Maybe I'll stop in on my way home, since I walk past several... (but who am I kidding, they're always crowded and I've never ordered coffee on my own before, so I'm not sure I know how to do that without making a fool of myself...)
Re: (Score:2)
Indeed it's called "top of mind" and it's an old, old marketing tactic with the pinnacle being Kleenex, band-aid, coke, etc.
https://en.wikipedia.org/wiki/Top-of-mind_awareness [wikipedia.org]
https://en.wikipedia.org/wiki/Brand_awareness [wikipedia.org]
Re: (Score:2)
Well, it depends on the results. I've never used the app*, but...
If the result is that you get to share in the user's freebie downloads and coupons, then it's Starbucks' problem, and they can eat the results for all I care.
If the result is a compromise of the user's CC info, then yeah, Starbucks needs to not only eat that cost, but forced to eat any associated costs that the ID theft brings about, and then compensate every user generously for his/her time and trouble.
I guess what I'm getting at is this - if
Re: (Score:2)
Re: (Score:1)
from what i read it was only in a log file, not the part where it authorizes your CC
relax
someone would have to steal your phone to take the data off. and anyone on ios 7 which is more iphone users will have find my iphone enabled and will send a remote wipe command.
or just change your passwords once you lose your phone and problem solved
Re:When will companies be held liable? (Score:5, Insightful)
Before you have grounds for a suit based on liability, you have to show harm that wasn’t already reimbursed by anyone who you might seek to hold liable.
There’s no “harm” done to you by having your password stored in the clear on your device. If someone got that password, used it to run up charges on your account, then there’s harm done. If Starbucks policy results in you being refunded and not being held accountable for those charges, then there’s still no harm. You’ve already been made whole in monetary terms before any legal proceeding might have commenced, QED no grounds for any legal proceeding.
Also, as others have pointed out, the harm isn’t actually perpetrated by Starbucks in this case. It’s done by whoever got your phone, extracted the password, and used it for mayhem. A defense attorney for Starbucks would make a (rather valid IMHO) argument that by allowing someone else to take your phone and plug it into their computer, you failed to take reasonable actions to secure your own system. At best, Starbucks is responsible for only a portion of the liability, and then you’re talking civil juries deciding percentages of fault to assign damages.
I do think the “left your house unlocked, got robbed” analogy is a bit off for this though. As far as the user could reasonably know, setting a lock code on your phone should be enough to qualify as “locking the house.” Unbeknownst to the user/homeowner, there was a flaw in the lock that allowed it to be trivially picked even if it was properly locked. Some liability is due the lock maker in this case, as it could be reasonably argued the product wasn’t fit for the purpose it was sold. I don’t think that applies quite as cleanly to Starbucks in this case as 1) the app is free (not sold), and 2) the app’s purpose for which it’s marketed isn’t to keep your password secure. That’s something one might expect/hope of it, but it’s a stretch to turn that expectation into grounds for a lawsuit.
The harm in any such case is likely to be well below that of the legal fees to pursue it unless you manage to get them on some statutory minimum penalties (in excess of the actual value of the harm) or turn it into a class action which would require significant numbers of people who were actually harmed (their passwords were used). I’m not aware of any such statute for something like this. Maybe some kind of treble damages thing for gross negligence, but you’re still talking triple the cost of a couple of cups of coffee, so not something worth suing over. Given how trivially, stupidly easy it is in iOS to store a password like this in Keychain in such a way that it can’t be dumped by simply plugging in the device, calling this gross negligence isn’t much of a stretch.
The only way to fix something like this would be to pass new legislation that specifically creates a tort for the act of storing user’s credentials (or perhaps PII in general) in an insecure manner. I’d personally like to see that done, but the details of how to define “a secure manner” and what information should be covered would take a lot of work to hash to prevent loopholes or making it so onerous that developers couldn’t actually comply with it for any non-trivial app.
Re: (Score:2)
Before you have grounds for a suit based on liability, you have to show harm that wasn’t already reimbursed by anyone who you might seek to hold liable.
Typically, you'd acquire a coffee shop's grounds from their refuse receptacle, but, as Starbucks is known to recycle their grounds, that might make holding them liable for anything slightly more difficult.
And yes, I'm going for a "Funny" mod here.
Re: (Score:2)
If Starbucks offers no grounds for a suit based on liability, at least a tailor's shop is grounds for a suit based on wool.
(I'm going for "Funny" too, but neither one of us is likely to get it. :-)
Re: (Score:2)
Re:When will companies be held liable? (Score:4, Informative)
I can't speak to the iOS installations, but Google Play reports that the Starbucks app has between 1 million and 5 million installs: https://play.google.com/store/apps/details?id=com.starbucks.mobilecard [google.com]
If iOS has a similar installation base, we're talking somewhere between 1 million and 10 million affected users.
Re:Android security (Score:2)
Re: (Score:2)
My main reason for using the Starbucks app is so that I don't have yet another card taking up space in my wallet (by using a Starbucks card you get a free drink every so often, as well as eligibility for gold membership which gives you free syrups and extra shots).
More importantly though, why do you think this only affected two people? Even computer novices know how to use a smartphone and I think you would be surprised at how often I see some old geezer using an app to pay for something or check in somewhe
Most popular smartphone payment app (Score:4, Informative)
Why would anyone use a Starbucks app? My guess is that the security hole affected at most two people: The Starbucks marketing manager who wanted it and the guy who developed it.
The Starbucks app is THE most popular smartphone payment app for retailers out there. It allows you to bring up a barcode on your smartphone screen to pay. On the iPhone it also is aware of when you walk into a Starbucks location and you do not even have to pull up the app thanks to the Passbook on the iphone. You just swipe the screen and it brings the barcode up for payment. Very easy to use and faster than cash or credit card. Payment is behind the scenes with an credit card attached to a Starbucks card. You can have multiple cards and transfer balances between them. If you want to see the future of using a smartphone to pay for products, you should be looking at this app. Starbucks is way ahead of anyone else in implementing this stuff. If you actually go into a Starbucks you'll almost certainly see someone using their smartphone to pay for their drinks.
No I don't work for Starbucks and I'm not promoting or disparaging the product. Merely describing what Starbucks has done. It is attention worthy whether you like Starbucks or not.
They already are (Score:2)
Companies already are held liable for implementing incompetent security, and are punished by their customers who stop buying their shoddy product, and possibly all their other products, whether shoddy or not. This is already the worst thing you can do to a company.
Re: (Score:2)
So sue them for all the harm caused by someone possibly knowing what your favorite overpriced beverage is.
Re: (Score:2)
Bad Coffee, Bad App (Score:4, Insightful)
Re:Bad Coffee, Bad App (Score:5, Interesting)
Love my mocha's. Can't tell you how many times I got to a 'local' coffee house and get a crap mocha. Some like to put store bought chocolate syrup in it, others like to add a mocha powder without first turning it into a wet paste. I've had Swiss Miss packets added to a late and told this was their 'Cafe Mocha'.
All in all, I can count on one hand the number of good cafe mocha's I've had at 'local' coffee houses.
On the other hand, every Starbucks I got into, anywhere in the world, seems to have the same Cafe Mocha. It's as if they had a recipe and the barista's were trained to make it. I like being in a town for the first time in my life, finding a Starbucks and feeling a little bit like being at home.
In the end, I reward any store on it's quality, I don't stereotype a store based on it's number of locations or perceived local community value. Would you patron a crap restaurant just because it's "local"?
Re:Bad Coffee, Bad App (Score:5, Insightful)
Love my mocha's. Can't tell you how many times I got to a 'local' coffee house and get a crap mocha. Some like to put store bought chocolate syrup in it, others like to add a mocha powder without first turning it into a wet paste. I've had Swiss Miss packets added to a late and told this was their 'Cafe Mocha'.
All in all, I can count on one hand the number of good cafe mocha's I've had at 'local' coffee houses.
On the other hand, every Starbucks I got into, anywhere in the world, seems to have the same Cafe Mocha. It's as if they had a recipe and the barista's were trained to make it. I like being in a town for the first time in my life, finding a Starbucks and feeling a little bit like being at home.
In the end, I reward any store on it's quality, I don't stereotype a store based on it's number of locations or perceived local community value. Would you patron a crap restaurant just because it's "local"?
I think you are confusing quality with consistency... At Starbucks you are getting a known quality, it may not always be the best but its always the same. Independent places can be hit and mis, but usually once you find one that makes a product you like, its always good there. I have a good number of coffee shop choices and I go to one for a good latte and another for a good iced coffee (with coffee ice cubes too). But when I travel I usually go to Starbucks because I know its the same everywhere.
Quality is a complicated thing (Score:4, Insightful)
I think you are confusing quality with consistency...At Starbucks you are getting a known quality, it may not always be the best but its always the same. Independent places can be hit and mis, but usually once you find one that makes a product you like, its always good there
And you seem to be confusing quality with preference. Preference can be a component of quality but quality is more complex and some aspects of quality have a strong subjective component. Part of quality is fitness for a particular purpose, part of it is consistency of output, part of it is the relative superiority of the product, part of it is conformance to specifications, etc. Reliability, sustainability, serviceability and other factors may play a role.
You cannot really define quality solely in terms of customer preferences because customers often prefer things that are objectively inferior or even dangerous by some measure. We have customers at my company all the time that specify products that if built to their specs would not meet industry standards would fail in the field. What the customer thinks they want isn't always what they actually want.
When it comes to Starbucks products, they have very good quality by some measures. Their quality on more subjective measures depends on who is doing the evaluation. Obviously a lot of people like their products and are willing to pay a lot for them. Others not so much. I think a lot of people just dislike Starbucks not so much based on their merits of their products but rather based on a more vague dislike of the corporation or the experience of the place.
Re: (Score:2)
Independent places, in my experience, tend to be hit-or-miss at all scales... from the store, to the shift, to the barista/cook/whatever actually doing the work when you place your order.
Re: (Score:2)
Re: (Score:2)
The three most important things are McDonald's are consistency, consistency and consistency.
Although their international preparations change, fat contents of beef vary, and vegetables are often locally sourced, a Big Mac is a Big Mac is a Big Mac in pretty much every English speaking store on the planet, and the one you get on Tuesday will be made exactly the same was on Sunday.
Re: (Score:3)
Yep.
Why on earth would anybody need a "Starbucks App". With sensitive information in it, and a password.
What information is there to hack? If it's anything more than where the nearest store is and you coffee preference then you're DOING IT WRONG.
Hard to have this happen on Android... (Score:4, Interesting)
On Android, a phone will appear as a storage device or camera, unless someone enables debugging and authorizes a computer with its individual key to connect.
I don't see how an app could get data to a computer from a locked Android device unless the app managed to get itself root, or there was some other trick to break into the Android device (physical dumping the RAM), and if an attacker is that sophisticated, pretty much what an app tries to do for security is pointless.
Re: (Score:2)
The flaw is apparently exposed by the crash reporting software on iOS; not sure why Android would be protected inherently.
Re: (Score:1)
To use an Android analogy, they were storing the passwords etc. in plain text on the phone's memory card with the app's data files, so when the phone was connected to a computer and was mounted as a storage device, it was completely trivial to read it. The developers seemed to assume that because their app can't read any other app's folders (sandboxing), those folders were completely inaccessible to anything but the app that they belong to. Unfortunately that whole space is mounted and made available to the
Re:Hard to have this happen on Android... (Score:5, Informative)
This is wrong and should be ignored. It's not stored unencrypted in the app's data folders; it's sent unencrypted to the debug log, which is also readable to anyone on the host PC.
Re: (Score:2)
which is also readable to anyone on the host PC.
So that's what is meant by "bypassing lock screen or PIN security features"?
Re: (Score:2)
USB access to Android phones allows transfer of files from a number of folders without unlocking the device.
[Most application data directories, of course, aren't among those, but they're not regularly exposed at all during USB connections, so...]
Re: (Score:3)
Re:Hard to have this happen on Android... (Score:4, Informative)
However, I don't buy it. If this researcher has found a way to bypass the hardware encryption on a locked iOS device, that sounds like a bigger and more interesting security hole than one in a shitty Starbucks app.
Re: (Score:2)
Ummm ... except law enforcement has been able to do this for some time now [forbes.com].
I think it's even been covered here -- I didn't think it was news.
Re: (Score:2)
Re: (Score:2)
iOS is actually very similar. Without an application like PhoneView or Xcode, just connecting a device will not provide obvious access to per application data that is not explicitly shared. If the device is locked, then access is unavailable even to those methods. If the application itself requested data protection, then even physical access to the flash chips would prove useless. Of course, a developer who decided to store everything in plain text would probably not take the extra strep to request encr
Re: (Score:2)
iOS is actually very similar. Without an application like PhoneView or Xcode, just connecting a device will not provide obvious access to per application data that is not explicitly shared. If the device is locked, then access is unavailable even to those methods. If the application itself requested data protection, then even physical access to the flash chips would prove useless. Of course, a developer who decided to store everything in plain text would probably not take the extra strep to request encryption. I just wonder why they didn't use the system Keychain. Easy to use and the OS takes care of all these problems.
First, everything is always encrypted on the iPhone. With no passcode, that doesn't help much because the iPhone itself can read the data. With passcode set, the iPhone needs the passcode to read the data and no way around that. In addition, apps can request that a file is encrypted with a different key, which means the passcode needs to be entered _for that file_. And there's the keychain of course.
Security risks are: Unencrypted backups to iTunes (there's a switch "encrypt backups". Turn it on). And as
Re: (Score:1)
Thank you. I didn't realize device specific keys are fused into the processor itself. This would, of course, render my comment about access to the flash chips incorrect.
Storing it in the keychain (with the correct protection class) would prevent access even for an unencrypted backup.
Also, specifically asking for per file data protection would prevent access for an unencrypted backup.
Basically, doing anything other than the bare minimum would have prevented access to the Starbucks data.
Does anyone have any
Re: (Score:2)
Apps with root access can see the entire filesystem, yes.
You'd need (a) a rooted phone, and (b) to have given the application access -- e.g. many backup programs running on rooted phones.
Re: (Score:1)
Thank you very much for the reply.
Then how do these malware apps spread or infect devices? Or is that just an over exaggerated example that really doesn't happen.
Re: (Score:2)
Most Android malware is installed by user choice, from unsavory sources. If you check the "Trust me, I know what I'm doing" box, you can install an .apk file from anywhere.
Then, in the normal security dialogs, you'll let it do things like send messages or take photos or access the internet -- and then it does just that, except not when you're expecting it.
Your new app can access "public" spaces in the filesystem, like saved photos, contacts (if allowed), etc. but it can't get data out of another program di
Re: (Score:2)
Programs can, of course, run at startup - otherwise all of your push-based applications and automatic realtime Craigslist searchers would be pretty sad.
http://developer.android.com/guide/topics/security/permissions.html [android.com]
Re: (Score:2)
This is better than my other link, sorry:
Re: (Score:2)
Re: (Score:1)
I don't see how an app could get data to a computer from a locked Android device unless the app managed to get itself root, or there was some other trick to break into the Android device (physical dumping the RAM), and if an attacker is that sophisticated, pretty much what an app tries to do for security is pointless.
That doesn't seem terribly convenient. Why don't they do it like Apple does? /snark
Re: (Score:3)
Re: (Score:2)
"If this post is marked Troll, I pissed off a fanboy again." Or maybe you made a snarky post falsely implying Apple doesn't do exactly the same thing, even though they do?
Except they don't. Plug in an iPhone and it'll immediately dump its guts to whatever its connected to without requiring interaction with the device itself. It does this by default. Android does not.
Re: (Score:2)
This security feature is new in 4.2 (Score:2)
unless someone enables debugging and authorizes a computer with its individual key to connect.
Authorizing an individual computer wasn't introduced until around 4.2 (Jelly Bean 2) or thereabouts [androidpolice.com]. There are still Android devices in use running older operating systems whose manufacturer declines to update the operating system.
Is this really a surprise? (Score:5, Insightful)
Re: (Score:3)
Funny story about this point (anonymized to protect the guilty): A former coworker described working with a guy about 5 years ago who wasn't familiar with the concept of an "array", or in fact much else that would imply any kind of structure or competence. He lasted about 3-5 days before he was caught. Well, I decided to move on, and landed a position in another organization, and lo and behold that same guy had been their sole developer for 4 years! In addition, he'd done some work for some small businesses
Re: (Score:2)
The system of logic likely starts with the fact that it is low-value transactions, and a limited maximum stored value. Hey, it's more secure than a credit card, right? Then you get creep...
The Starbucks app has much worse security problems; a photo of the 2D barcode cannot be revoked as a valid credential.
Re: (Score:2)
The Starbucks app has much worse security problems; a photo of the 2D barcode cannot be revoked as a valid credential.
In the Starbucks app you can create a new card and then delete the old one. Or just go purchase another card and add it into the Starbucks app.
Re: (Score:2)
It goes like this:
PHB: So how's that App coming.
Coder: It is basically functional but we still need to work on the securi...
PHB: SHIP IT!
My Order (Score:3)
Yeah, I'd like a Venti Latte with a shot of espresso and a shot of security vulnerabilities.
Nobody gives a fuck (Score:4, Insightful)
If you're concerned about data security, you don't have meaningful data on your phone. Most smartphone apps wouldn't pass as prototypes in any serious environment. The entire system is made to look nice first, functionality is a distant second and security doesn't even make the list. Users do not care. It's like credit cards: Convenience trumps all.
Re: (Score:2)
If you're concerned about data security, you don't have meaningful data on your phone. Most smartphone apps wouldn't pass as prototypes in any serious environment. The entire system is made to look nice first, functionality is a distant second and security doesn't even make the list. Users do not care. It's like credit cards: Convenience trumps all.
A bit over-sensationalized (Score:3, Insightful)
First, there's no question that this is an example of a horrible design, and a security flaw that should be fixed.
But the article is way over-the-top. It talks about "credit card numbers", pretty much implying that they are in clear text (TFA, not the actual report). Credit card numbers are not stored in clear text, nor would the clear text credentials give you access to the credit card numbers.
Also, this is really an article about bypassing the lock code, and nothing else. Physical access to a computer (phone) can eventually get you more sensitive stuff than a cup of coffee.
Re: (Score:3)
First, there's no question that this is an example of a horrible design, and a security flaw that should be fixed.
But the article is way over-the-top. It talks about "credit card numbers", pretty much implying that they are in clear text (TFA, not the actual report). Credit card numbers are not stored in clear text, nor would the clear text credentials give you access to the credit card numbers.
Also, this is really an article about bypassing the lock code, and nothing else. Physical access to a computer (phone) can eventually get you more sensitive stuff than a cup of coffee.
I don't think credit card numbers are used by the app, anyway. All it has is my Starbucks card linked to it, which in turn is linked to my credit card. But that's on their web site, not the phone app. Not saying they're doing any better of a job storing my credit card information in their back-end databases, but I'm reasonably sure it's not stored on my phone.
Re: (Score:3)
So, the question one needs to ask is ... if the website is storing your credit card, and the app is storing your password in plaintext ... given your password and knowledge of your Starbucks card (which is apparently on the phone), can someone get into the Starbucks website and actually get to your credit card?
Re: (Score:2)
AFIAK, the website doesn't allow you to retrieve your credit card; just change it.
Re: (Score:2)
You can't find out your own CC number on the Starbucks website.
The only thing someone could do with this "giant hack" is order a free lattee. Seeing how in order to do this "giant hack" they need your phone, why wouldn't they just sell it on eBay. After all you can get many lattes with $200.
Not as retro as I hoped (Score:2)
simply by connecting the phone to a computer
On first read I thought someone had hacked into their servers over dial-up, but it wasn't that interesting.
Always look at the app requirements (Score:3)
The Starbuck's app requirement list clearly indicates all kinds of terrible behavio including it needs to be able to make calls and read your contacts list. There may be more, but after those two I stopped reading and declined to install. A vendor's app has no need to do these things. I figured if they're already that bad, there's no telling what mischief their app might get up to.
That's a Feature (Score:5, Insightful)
Firefox (unless you turn on the master password) and Pidgin also store passwords in cleartext. The Pidgin devs explained that this is because they don't want to implement security through obscurity, as anyone with access to the stored plaintext xml file already has access to your computer anyway and could presumably decrypt it if they tried to secure it anyway.
Admittedly, it's a bit different when we're talking about cell phones.
Re: (Score:1)
Re: (Score:2)
Well, if you leave your cellphone sitting around, it's a lot easier to steal than a desktop, and somewhat easier than a laptop or tablet. And do you keep your cell locked when you're not using it? How effective is the security on it to a real computer? I'm not knowledgeable about such things so I couldn't say.
Re: (Score:2)
(I didn't RTFA, of course...)
Apparently the problem is that the app logs the password to a generic logging facility, and the attack is to read this log, not to read info from where it's "stored" as such.
AIUI, the fact that anyone can read this log file over USB is intentional, and apps are supposed to sanitize entries of sensitive data before logging them, so the fault lies with the app here.
Oh no! (Score:2)
Someone might steal your phone then... buy you a coffee?
Android seems ok (Score:2)
I didn't spend much time on it, but this doesn't seem to be the case on Android. First of all, they never store things outside of /data/data/com.starbucks.mobilecard. So only a root application would be able to read things. Secondly, the main sqlite database they seem to be storing things in is encrypted.
So, what SHOULD it have done? (Score:2)
So, what's the solution? We're NOT talking about a password file that can be stored in a hashed manner - that's receiving and verifying passwords, not sending them. Web browsers don't store cookies/tokens in an encrypted manner - if you got them you could
Re: (Score:2)
From the article:
So I suspect the issue is that he thinks CC data might also be available in plain text, but he couldn't be bothered spending the 10 seconds it would take to actually check if that i
Re: (Score:2)
So - knowing that the app needs to somehow either cache this info in a way it can get it back to login, or have you re-enter the password every time, I'll ask again:
What SHOULD they have done differently.
Re: (Score:2)
Re: (Score:2)
Correct me if I am wrong, but the phone holds starbucks cards, not credit cards. You connect to starbucks.com to "register" and to setup auto-reload on your starbucks card, in order to earn points. The website caches the CC numbers, the phone holds the starbucks card.
even better... you phone put's your starbucks card in a PDF417 barcode format, making it vulnerable to ocular attack. I could snap a picture of your barcode, and get the benefits of your "auto-reload" starbucks card, and I get free coffee on your dime.
That's what I was thinking.... Not a huge risk and not what I'd be worried about if someone stole my $600 phone. The card number is printed right on the card so its no more risk than if they stole my wallet.
Re: (Score:3)
I use the Starbucks app, but will remove it from my phone now, until this issue has been pro