Starbucks Phone App Stores Password Unencrypted

JThaddeus writes "The Daily Caller reports a serious security flaw in the Starbucks phone app: 'Starbucks confirmed late Tuesday that anyone could access the unencrypted data stored on the official Starbucks app simply by connecting the phone to a computer – bypassing lock screen or PIN security features with no hacking or jailbreaking necessary.' The linked report is for iOS. No mention of Android, but do you think it is any different?" (Starbucks says they've addressed the problem.)

When will companies be held liable?

When will companies be held liable for implementing incompetent security (or not implementing it all)?

The marketing weenies are all over getting the brand out, but don't give a shit about security.

Companies should be getting fined for crap like this. Between data beaches and gross incompetence at any form of security, trusting a marketing app is the height of stupid.

Re:When will companies be held liable?

[Sarten-X]

Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.

There is a case for negligence, but that requires that the negligent party be unreasonably incompetent, and at the moment, most companies with these kind of security problems are performing on par with most of America - the non-techies who don't understand security.

Re:When will companies be held liable?

[Aaden42]

Before you have grounds for a suit based on liability, you have to show harm that wasn’t already reimbursed by anyone who you might seek to hold liable.

There’s no “harm” done to you by having your password stored in the clear on your device. If someone got that password, used it to run up charges on your account, then there’s harm done. If Starbucks policy results in you being refunded and not being held accountable for those charges, then there’s still no harm. You’ve already been made whole in monetary terms before any legal proceeding might have commenced, QED no grounds for any legal proceeding.

Also, as others have pointed out, the harm isn’t actually perpetrated by Starbucks in this case. It’s done by whoever got your phone, extracted the password, and used it for mayhem. A defense attorney for Starbucks would make a (rather valid IMHO) argument that by allowing someone else to take your phone and plug it into their computer, you failed to take reasonable actions to secure your own system. At best, Starbucks is responsible for only a portion of the liability, and then you’re talking civil juries deciding percentages of fault to assign damages.

I do think the “left your house unlocked, got robbed” analogy is a bit off for this though. As far as the user could reasonably know, setting a lock code on your phone should be enough to qualify as “locking the house.” Unbeknownst to the user/homeowner, there was a flaw in the lock that allowed it to be trivially picked even if it was properly locked. Some liability is due the lock maker in this case, as it could be reasonably argued the product wasn’t fit for the purpose it was sold. I don’t think that applies quite as cleanly to Starbucks in this case as 1) the app is free (not sold), and 2) the app’s purpose for which it’s marketed isn’t to keep your password secure. That’s something one might expect/hope of it, but it’s a stretch to turn that expectation into grounds for a lawsuit.

The harm in any such case is likely to be well below that of the legal fees to pursue it unless you manage to get them on some statutory minimum penalties (in excess of the actual value of the harm) or turn it into a class action which would require significant numbers of people who were actually harmed (their passwords were used). I’m not aware of any such statute for something like this. Maybe some kind of treble damages thing for gross negligence, but you’re still talking triple the cost of a couple of cups of coffee, so not something worth suing over. Given how trivially, stupidly easy it is in iOS to store a password like this in Keychain in such a way that it can’t be dumped by simply plugging in the device, calling this gross negligence isn’t much of a stretch.

The only way to fix something like this would be to pass new legislation that specifically creates a tort for the act of storing user’s credentials (or perhaps PII in general) in an insecure manner. I’d personally like to see that done, but the details of how to define “a secure manner” and what information should be covered would take a lot of work to hash to prevent loopholes or making it so onerous that developers couldn’t actually comply with it for any non-trivial app.

Is this really a surprise?

[Akratist]

Anyone who's ever worked in software has to realize that the incompetent pinheads that they've worked with before are still floating around out there, doing ever more damage, instead of just fading away and working as a greeter at Wal-Mart. I've worked with people whose code was terrible, at best, and who were barely able to get their crap to compile. I've also worked with people who had no concept of security (including storing plain text passwords). They've moved on to other software positions, and are still writing bad code for some surprisingly large names. And then, there's the pressure factor. I was once asked to implement a feature that the same as removing any user validation from a high-dollar enterprise app. I flatly refused, because I could pretty much walk out and be in another job within a couple of days. Would a person who is on edge of technical incompetency, and knowing their prospects are limited, take the same position? No, they'll say "Yes sir!", bang that code out, and move on to the next debacle. Good management would alleviate this, but let's face it -- bad managers are a dime a dozen, too.