Starbucks admits to storing user passwords in plain text, vows to update iPhone app with fix

Douglas Soltys

January 16, 2014 9:01 am

In the wake of the 40 million customer payment cards that were compromised due to a Target security breach, greater attention is being paid to the efforts of major consumer chains to protect our data. This week’s events indicate that while Starbucks is generally considered one of the more tech-savvy brands, this savviness does not apply to information security.

Here’s the scenario. Back in November, security researcher Daniel Wood noted a flaw in Starbuck’s iOS app: user passwords were being stored in the app as plain text, and could be viewed by anyone able to connect the device to a computer and grab its crash logs. After months of trying and failing to inform Starbucks’ corporate security team, Wood published his findings on Monday. Starbucks then claimed yesterday that they had fixed the issue already, which didn’t make any sense, as such a fix would require an app update. Today, in a press statement, Starbucks has admitted to the vulnerability and announced it is working to quickly release an iOS update.

First, not hashing user data is, at a development level, just a bad move; for a large consumer brand like Starbucks it’s a violation of trust – consumers simply expect greater protection of their personal data. But while the vulnerability itself is troubling, Starbucks’ actions are more so, indicating either a limited understanding of mobile security, or an attempt to mislead the public.

Starbucks’ press statement (posted below) refers to the issue as a “theoretical vulnerability”, of which “there is no indication that any information has been compromised” – off-putting statements when theoretical in this case becomes practical with a Lightning cable and a limited familiarity with iPhone crash logs (something every iOS developer or QA tester has). Starbucks claims that its prior measures “sufficiently address the concerns raised in the research report” are confusing due to the nature of the vulnerability itself, and disingenuous in the face of a forthcoming app update, which the company claims is “out of an abundance of caution.”

Starbucks may simply be muddling the issue in an attempt to simplify it for consumers, but honestly, consumers know better. They read sites various tech-related sites, and they know how to use Google – ‘clear’ statements running counter to the rest of the Internet simply won’t fly. Starbucks first needs to fix its mobile security holes, but a second look at its messaging practices wouldn’t hurt, either.


January 16, 2013
Dear Customer,

Your security is incredibly important to us. This week a research report identified theoretical vulnerabilities associated with the Starbucks Mobile App for iOS in the event a customer’s iPhone were to be physically stolen and hacked.

We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.

Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.

We appreciate your business and believe it is our job to earn your trust as a customer. We also know that constant vigilance is the best way to protect you and the information you share with us. If you think your information may have been compromised for any reason, please contact our Customer Care team at 1-800-23-LATTE or atwww.starbucks.com/customer.

Sincerely,
Curt Garner
Starbucks chief information officer