Slashdot Mirror
Starbucks Phone App Stores Password Unencrypted
JThaddeus writes "The Daily Caller reports a serious security flaw in the Starbucks phone app: 'Starbucks confirmed late Tuesday that anyone could access the unencrypted data stored on the official Starbucks app simply by connecting the phone to a computer – bypassing lock screen or PIN security features with no hacking or jailbreaking necessary.' The linked report is for iOS. No mention of Android, but do you think it is any different?" (Starbucks says they've addressed the problem.)
When will companies be held liable for implementing incompetent security (or not implementing it all)?
The marketing weenies are all over getting the brand out, but don't give a shit about security.
Companies should be getting fined for crap like this. Between data beaches and gross incompetence at any form of security, trusting a marketing app is the height of stupid.
What's the difference? Patronize a local shop that doesn't over-roast the coffee.
On Android, a phone will appear as a storage device or camera, unless someone enables debugging and authorizes a computer with its individual key to connect.
I don't see how an app could get data to a computer from a locked Android device unless the app managed to get itself root, or there was some other trick to break into the Android device (physical dumping the RAM), and if an attacker is that sophisticated, pretty much what an app tries to do for security is pointless.
Correct me if I am wrong, but the phone holds starbucks cards, not credit cards. You connect to starbucks.com to "register" and to setup auto-reload on your starbucks card, in order to earn points. The website caches the CC numbers, the phone holds the starbucks card.
even better... you phone put's your starbucks card in a PDF417 barcode format, making it vulnerable to ocular attack. I could snap a picture of your barcode, and get the benefits of your "auto-reload" starbucks card, and I get free coffee on your dime.
Well if the android version of this app works as it should, the information would be stored in a non-accessable location requiring a root enabled browser to navigate to it, thus making it basically "not there" when connected to a windows PC.
But.....
Who the hell wants a starbucks app, on any device?
Anyone who's ever worked in software has to realize that the incompetent pinheads that they've worked with before are still floating around out there, doing ever more damage, instead of just fading away and working as a greeter at Wal-Mart. I've worked with people whose code was terrible, at best, and who were barely able to get their crap to compile. I've also worked with people who had no concept of security (including storing plain text passwords). They've moved on to other software positions, and are still writing bad code for some surprisingly large names. And then, there's the pressure factor. I was once asked to implement a feature that the same as removing any user validation from a high-dollar enterprise app. I flatly refused, because I could pretty much walk out and be in another job within a couple of days. Would a person who is on edge of technical incompetency, and knowing their prospects are limited, take the same position? No, they'll say "Yes sir!", bang that code out, and move on to the next debacle. Good management would alleviate this, but let's face it -- bad managers are a dime a dozen, too.
I'm up in yer iPhone, orderin up the moca-choca-grande-blizatte-frappafuckarino and chargin it to your CC.
I can't wait to see the deluge of hipster outrage conflicting with the hipster Starbucks loyalty. Heads will be exploding all over the place.
Yeah, I'd like a Venti Latte with a shot of espresso and a shot of security vulnerabilities.
Coder's Stone: The programming language quick ref for iPad
If you're concerned about data security, you don't have meaningful data on your phone. Most smartphone apps wouldn't pass as prototypes in any serious environment. The entire system is made to look nice first, functionality is a distant second and security doesn't even make the list. Users do not care. It's like credit cards: Convenience trumps all.
I prefer whisky... and don't like smartphones either, so yeah...
Captcha: critique
First, there's no question that this is an example of a horrible design, and a security flaw that should be fixed.
But the article is way over-the-top. It talks about "credit card numbers", pretty much implying that they are in clear text (TFA, not the actual report). Credit card numbers are not stored in clear text, nor would the clear text credentials give you access to the credit card numbers.
Also, this is really an article about bypassing the lock code, and nothing else. Physical access to a computer (phone) can eventually get you more sensitive stuff than a cup of coffee.
Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.
Even if true (and I don't agree that it is) this is easily remedied through legislation making inadequate care of customer data illegal by statute (negligence per-se). Furthermore there there are a variety of duty of care torts under which a company could be legally charged including potentially fiduciary duty in some cases.
The fact that many companies are incompetent is not a sufficient excuse and should never be regarded as such.
Although, Target has been really taking it on the chin the last several weeks and I'm sure they are learning a valuable lesson. Although that was an internal POS system: not a payment app.
Now this Starbucks app, yeah it's a stupid oversight, but how much damage can one do at a Starbucks? Order a really really expensive drink and pastry for an entire car load of people? $50? Yeah, it's like someone picking your pocket of $50 - but still - the indignant outrage over a stupid error that was discovered by s security researcher. The hackers and crooks are out for bigger fish than getting free coffees.
It's not like it's a borrowing app for Bank of America where folks are taking out mortgages in the phone owner's name.
I think you are confusing quality with consistency...At Starbucks you are getting a known quality, it may not always be the best but its always the same. Independent places can be hit and mis, but usually once you find one that makes a product you like, its always good there
And you seem to be confusing quality with preference. Preference can be a component of quality but quality is more complex and some aspects of quality have a strong subjective component. Part of quality is fitness for a particular purpose, part of it is consistency of output, part of it is the relative superiority of the product, part of it is conformance to specifications, etc. Reliability, sustainability, serviceability and other factors may play a role.
You cannot really define quality solely in terms of customer preferences because customers often prefer things that are objectively inferior or even dangerous by some measure. We have customers at my company all the time that specify products that if built to their specs would not meet industry standards would fail in the field. What the customer thinks they want isn't always what they actually want.
When it comes to Starbucks products, they have very good quality by some measures. Their quality on more subjective measures depends on who is doing the evaluation. Obviously a lot of people like their products and are willing to pay a lot for them. Others not so much. I think a lot of people just dislike Starbucks not so much based on their merits of their products but rather based on a more vague dislike of the corporation or the experience of the place.
simply by connecting the phone to a computer
On first read I thought someone had hacked into their servers over dial-up, but it wasn't that interesting.
systemd is Roko's Basilisk.
The Starbuck's app requirement list clearly indicates all kinds of terrible behavio including it needs to be able to make calls and read your contacts list. There may be more, but after those two I stopped reading and declined to install. A vendor's app has no need to do these things. I figured if they're already that bad, there's no telling what mischief their app might get up to.
1. Companies start being held liable for app security.
2. Starbucks stores conveniently work properly with some app released by an anonymous guy online you can't sue.
IMHO the height of stupid is trusting anything important whatsoever to closed-source software with no guarantees or accountability. Do you REALLY need an app to buy coffee?
Companies already are held liable for implementing incompetent security, and are punished by their customers who stop buying their shoddy product, and possibly all their other products, whether shoddy or not. This is already the worst thing you can do to a company.
unless someone enables debugging and authorizes a computer with its individual key to connect.
Authorizing an individual computer wasn't introduced until around 4.2 (Jelly Bean 2) or thereabouts. There are still Android devices in use running older operating systems whose manufacturer declines to update the operating system.
Firefox (unless you turn on the master password) and Pidgin also store passwords in cleartext. The Pidgin devs explained that this is because they don't want to implement security through obscurity, as anyone with access to the stored plaintext xml file already has access to your computer anyway and could presumably decrypt it if they tried to secure it anyway.
Admittedly, it's a bit different when we're talking about cell phones.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
On my Android phone (Moto Droid Razr), the flash storage is not accessible via USB until I unlock the phone. Of course, the SD card could be removed, but most applications store to the internal flash by default, so there is at least a moderate level of protection against that kind of attack on Android.
A verbose disclosure
http://seclists.org/fulldisclosure/2014/Jan/64
Someone might steal your phone then... buy you a coffee?
At least on iOS 7, not only do you need to unlock the phone, you need to opt in to rusting the computer.
So it's really only an issue on devices running 6 or earlier that aren't in supervised mode (20%) or not having a passcode set at all (likely 40% or so)
That's a significant fraction of the devices out there, but for most it's within the phone owners power to fix
Why would anyone use a Starbucks app? My guess is that the security hole affected at most two people: The Starbucks marketing manager who wanted it and the guy who developed it.
The Starbucks app is THE most popular smartphone payment app for retailers out there. It allows you to bring up a barcode on your smartphone screen to pay. On the iPhone it also is aware of when you walk into a Starbucks location and you do not even have to pull up the app thanks to the Passbook on the iphone. You just swipe the screen and it brings the barcode up for payment. Very easy to use and faster than cash or credit card. Payment is behind the scenes with an credit card attached to a Starbucks card. You can have multiple cards and transfer balances between them. If you want to see the future of using a smartphone to pay for products, you should be looking at this app. Starbucks is way ahead of anyone else in implementing this stuff. If you actually go into a Starbucks you'll almost certainly see someone using their smartphone to pay for their drinks.
No I don't work for Starbucks and I'm not promoting or disparaging the product. Merely describing what Starbucks has done. It is attention worthy whether you like Starbucks or not.
I didn't spend much time on it, but this doesn't seem to be the case on Android. First of all, they never store things outside of /data/data/com.starbucks.mobilecard. So only a root application would be able to read things. Secondly, the main sqlite database they seem to be storing things in is encrypted.
Unstable Apps: Our Android Apps Don't Suck
So, what's the solution? We're NOT talking about a password file that can be stored in a hashed manner - that's receiving and verifying passwords, not sending them. Web browsers don't store cookies/tokens in an encrypted manner - if you got them you could use them elsewhere (assuming they weren't tied to IP address or whatever).
So - (and I'm asking literally, not rhetorically) what should they have done?