Starbucks Phone App Stores Password Unencrypted

← Back to Stories (view on slashdot.org)

Starbucks Phone App Stores Password Unencrypted

Posted by timothy on Thursday January 16, 2014 @04:35AM from the don't-spend-it-all-in-one-place dept.

JThaddeus writes "The Daily Caller reports a serious security flaw in the Starbucks phone app: 'Starbucks confirmed late Tuesday that anyone could access the unencrypted data stored on the official Starbucks app simply by connecting the phone to a computer – bypassing lock screen or PIN security features with no hacking or jailbreaking necessary.' The linked report is for iOS. No mention of Android, but do you think it is any different?" (Starbucks says they've addressed the problem.)

11 of 137 comments (clear)

Min score:

Reason:

Sort:

When will companies be held liable? by Anonymous Coward · 2014-01-16 04:38 · Score: 5, Interesting

When will companies be held liable for implementing incompetent security (or not implementing it all)?
The marketing weenies are all over getting the brand out, but don't give a shit about security.
Companies should be getting fined for crap like this. Between data beaches and gross incompetence at any form of security, trusting a marketing app is the height of stupid.
1. Re:When will companies be held liable? by Sarten-X · 2014-01-16 04:45 · Score: 5, Insightful
  
  Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.
  There is a case for negligence, but that requires that the negligent party be unreasonably incompetent, and at the moment, most companies with these kind of security problems are performing on par with most of America - the non-techies who don't understand security.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
2. Re:When will companies be held liable? by Aaden42 · 2014-01-16 05:25 · Score: 5, Insightful
  
  Before you have grounds for a suit based on liability, you have to show harm that wasn’t already reimbursed by anyone who you might seek to hold liable.
  There’s no “harm” done to you by having your password stored in the clear on your device. If someone got that password, used it to run up charges on your account, then there’s harm done. If Starbucks policy results in you being refunded and not being held accountable for those charges, then there’s still no harm. You’ve already been made whole in monetary terms before any legal proceeding might have commenced, QED no grounds for any legal proceeding.
  Also, as others have pointed out, the harm isn’t actually perpetrated by Starbucks in this case. It’s done by whoever got your phone, extracted the password, and used it for mayhem. A defense attorney for Starbucks would make a (rather valid IMHO) argument that by allowing someone else to take your phone and plug it into their computer, you failed to take reasonable actions to secure your own system. At best, Starbucks is responsible for only a portion of the liability, and then you’re talking civil juries deciding percentages of fault to assign damages.
  I do think the “left your house unlocked, got robbed” analogy is a bit off for this though. As far as the user could reasonably know, setting a lock code on your phone should be enough to qualify as “locking the house.” Unbeknownst to the user/homeowner, there was a flaw in the lock that allowed it to be trivially picked even if it was properly locked. Some liability is due the lock maker in this case, as it could be reasonably argued the product wasn’t fit for the purpose it was sold. I don’t think that applies quite as cleanly to Starbucks in this case as 1) the app is free (not sold), and 2) the app’s purpose for which it’s marketed isn’t to keep your password secure. That’s something one might expect/hope of it, but it’s a stretch to turn that expectation into grounds for a lawsuit.
  The harm in any such case is likely to be well below that of the legal fees to pursue it unless you manage to get them on some statutory minimum penalties (in excess of the actual value of the harm) or turn it into a class action which would require significant numbers of people who were actually harmed (their passwords were used). I’m not aware of any such statute for something like this. Maybe some kind of treble damages thing for gross negligence, but you’re still talking triple the cost of a couple of cups of coffee, so not something worth suing over. Given how trivially, stupidly easy it is in iOS to store a password like this in Keychain in such a way that it can’t be dumped by simply plugging in the device, calling this gross negligence isn’t much of a stretch.
  The only way to fix something like this would be to pass new legislation that specifically creates a tort for the act of storing user’s credentials (or perhaps PII in general) in an insecure manner. I’d personally like to see that done, but the details of how to define “a secure manner” and what information should be covered would take a lot of work to hash to prevent loopholes or making it so onerous that developers couldn’t actually comply with it for any non-trivial app.
3. Re:When will companies be held liable? by dkleinsc · 2014-01-16 06:40 · Score: 4, Insightful
  
  It's in the same category as leaving a house unlocked.
  That analogy is incorrect. In a correct analogy, the locksmith installed a lock that he swore up and down would protect your home, you locked the door thinking you were fine, and then somebody came in and stole a bunch of things. And that would in fact make the locksmith liable, especially if there was a written guarantee on the lock and the locksmith's work (but even if not, there's the implied warranty of merchantability that says that he's still liable).
  And as soon as you look at the case that way, Starbucks is being negligent, just like the locksmith was in our analogous scenario. The key factor here is that the victim of the crime is not the person who left themselves vulnerable to it through their own stupidity.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
Bad Coffee, Bad App by Anonymous Coward · 2014-01-16 04:39 · Score: 4, Insightful

What's the difference? Patronize a local shop that doesn't over-roast the coffee.
1. Re:Bad Coffee, Bad App by malakai · 2014-01-16 04:56 · Score: 4, Interesting
  
  Love my mocha's. Can't tell you how many times I got to a 'local' coffee house and get a crap mocha. Some like to put store bought chocolate syrup in it, others like to add a mocha powder without first turning it into a wet paste. I've had Swiss Miss packets added to a late and told this was their 'Cafe Mocha'.
  All in all, I can count on one hand the number of good cafe mocha's I've had at 'local' coffee houses.
  On the other hand, every Starbucks I got into, anywhere in the world, seems to have the same Cafe Mocha. It's as if they had a recipe and the barista's were trained to make it. I like being in a town for the first time in my life, finding a Starbucks and feeling a little bit like being at home.
  In the end, I reward any store on it's quality, I don't stereotype a store based on it's number of locations or perceived local community value. Would you patron a crap restaurant just because it's "local"?
  
  --
  -Malakai
  A Dragon Lives in my Garage
2. Re:Bad Coffee, Bad App by hawguy · 2014-01-16 05:11 · Score: 4, Insightful
  
  Love my mocha's. Can't tell you how many times I got to a 'local' coffee house and get a crap mocha. Some like to put store bought chocolate syrup in it, others like to add a mocha powder without first turning it into a wet paste. I've had Swiss Miss packets added to a late and told this was their 'Cafe Mocha'.
  All in all, I can count on one hand the number of good cafe mocha's I've had at 'local' coffee houses.
  On the other hand, every Starbucks I got into, anywhere in the world, seems to have the same Cafe Mocha. It's as if they had a recipe and the barista's were trained to make it. I like being in a town for the first time in my life, finding a Starbucks and feeling a little bit like being at home.
  In the end, I reward any store on it's quality, I don't stereotype a store based on it's number of locations or perceived local community value. Would you patron a crap restaurant just because it's "local"?
  I think you are confusing quality with consistency... At Starbucks you are getting a known quality, it may not always be the best but its always the same. Independent places can be hit and mis, but usually once you find one that makes a product you like, its always good there. I have a good number of coffee shop choices and I go to one for a good latte and another for a good iced coffee (with coffee ice cubes too). But when I travel I usually go to Starbucks because I know its the same everywhere.
Is this really a surprise? by Akratist · 2014-01-16 04:45 · Score: 5, Insightful

Anyone who's ever worked in software has to realize that the incompetent pinheads that they've worked with before are still floating around out there, doing ever more damage, instead of just fading away and working as a greeter at Wal-Mart. I've worked with people whose code was terrible, at best, and who were barely able to get their crap to compile. I've also worked with people who had no concept of security (including storing plain text passwords). They've moved on to other software positions, and are still writing bad code for some surprisingly large names. And then, there's the pressure factor. I was once asked to implement a feature that the same as removing any user validation from a high-dollar enterprise app. I flatly refused, because I could pretty much walk out and be in another job within a couple of days. Would a person who is on edge of technical incompetency, and knowing their prospects are limited, take the same position? No, they'll say "Yes sir!", bang that code out, and move on to the next debacle. Good management would alleviate this, but let's face it -- bad managers are a dime a dozen, too.
Nobody gives a fuck by Anonymous Coward · 2014-01-16 04:52 · Score: 4, Insightful

If you're concerned about data security, you don't have meaningful data on your phone. Most smartphone apps wouldn't pass as prototypes in any serious environment. The entire system is made to look nice first, functionality is a distant second and security doesn't even make the list. Users do not care. It's like credit cards: Convenience trumps all.
Re:Hard to have this happen on Android... by Sockatume · 2014-01-16 05:04 · Score: 4, Informative

This is wrong and should be ignored. It's not stored unencrypted in the app's data folders; it's sent unencrypted to the debug log, which is also readable to anyone on the host PC.

--
No kidding!!! What do you say at this point?
That's a Feature by TangoMargarine · 2014-01-16 06:01 · Score: 4, Insightful

Firefox (unless you turn on the master password) and Pidgin also store passwords in cleartext. The Pidgin devs explained that this is because they don't want to implement security through obscurity, as anyone with access to the stored plaintext xml file already has access to your computer anyway and could presumably decrypt it if they tried to secure it anyway.
Admittedly, it's a bit different when we're talking about cell phones.

--
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF