{"id":2705,"date":"2014-01-20T10:11:58","date_gmt":"2014-01-20T15:11:58","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=2705"},"modified":"2020-02-26T18:58:09","modified_gmt":"2020-02-26T14:58:09","slug":"starbucks-moves-quick-to-fix-application-security-vulnerability","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/starbucks-moves-quick-to-fix-application-security-vulnerability\/2705\/","title":{"rendered":"Starbucks Moves Quick to Fix Application Security Vulnerability"},"content":{"rendered":"

Reports<\/a> emerged earlier this week that the Starbucks\u2019 iOS mobile application could be exposing the personal information of any customers that downloaded it. To their immense credit \u2013 especially considering that they are not a technology company, Starbucks issued an update resolving the vulnerability in their app late yesterday.<\/p>\n

\"starbucks\"<\/a><\/p>\n

Of course, Starbucks isn\u2019t suffering from a shortage of money by any means, but the vulnerability was reported sometime in December and fixed in January, which is respectable as far as security fixes are concerned. Vulnerability disclosures and resolution often involves vendor denials, knit picking, convolution, and months and months before anything get resolved.<\/p>\n

So, first and foremost: if you have downloaded the Starbucks mobile application on your iPhone, iPad, or other iDevice, then you should mosey on over to the App Store<\/a> and install the update as soon as possible.<\/p>\n

I\u2019ll spare you most of the terrible technical details, but the vulnerability existed in what was \u2013 until January 16 \u2013 the most recent build of the application: version 2.6.1 for iOS. As I have made clear, the company has since fixed the vulnerability by releasing version 2.6.2, which \u2013 again \u2013 you can find in the Apple<\/a> App Store.<\/p>\n

The vulnerability was reported some time in December and fixed in January, which is respectable as far as security fixes are concerned.<\/div>\n

Anyone that hasn\u2019t applied the update could be potentially exposing a range of sensitive information, including their full name, address, device ID, and various geolocation data as well, according to a report written by Threatpost\u2019s Chris Brook.<\/p>\n

The coffee giant\u2019s application was storing all of this information in plain, not encrypted<\/a> text in a log file included as part of a third-party, crash-protection solution developed by a Boston company called Crashlytics.<\/p>\n

Daniel Wood, the researcher that found the bug and a member of the Open Web Application Security Project (OWASP), basically blamed the vulnerability on Starbucks\u2019 failure to follow best practices for application security.<\/p>\n

Specifically, Wood said Starbucks should filter and sanitize data upon output \u201cto prevent these data elements from being stored in the Crashlytics log files in clear text, if at all.\u201d<\/p>\n

Crashlytics develops crash reporting solutions for mobile application makers. Starbucks appears to have used this company\u2019s technology in their application, though they may have implemented incorrectly, at least in part.<\/p>\n

Crashlytics Cofounder Wayne Chang told Threatpost\u2019s Chris Brook via email that the issue appears to involve one of the service\u2019s plaintext logging features. He would go on to tell Threatpost that Crashlytics doesn\u2019t collect usernames or passwords automatically. The feature, CLSLog, is an \u201coptional feature that developers can use to log additional information.\u201d<\/p>\n

In case you were curious, the Starbucks app gives customers the ability to connect their Starbucks card to their smartphone, replenishing funds via Paypal or credit card, and allowing them use their smartphone as a mobile payment<\/a> mechanism at Starbucks locations around the globe.<\/p>\n","protected":false},"excerpt":{"rendered":"

Reports emerged earlier this week that the Starbucks\u2019 iOS mobile application could be exposing the personal information of any customers that downloaded it. To their immense credit \u2013 especially considering<\/p>\n","protected":false},"author":42,"featured_media":2706,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[193,97],"class_list":{"0":"post-2705","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-mobile-device","9":"tag-security-2"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/starbucks-moves-quick-to-fix-application-security-vulnerability\/2705\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/starbucks-moves-quick-to-fix-application-security-vulnerability\/2812\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/starbucks-moves-quick-to-fix-application-security-vulnerability\/3042\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/starbucks-moves-quick-to-fix-application-security-vulnerability\/2894\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/starbucks-moves-quick-to-fix-application-security-vulnerability\/3510\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/starbucks-moves-quick-to-fix-application-security-vulnerability\/2355\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/starbucks-moves-quick-to-fix-application-security-vulnerability\/3510\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/starbucks-moves-quick-to-fix-application-security-vulnerability\/3510\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/mobile-device\/","name":"mobile device"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2705","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=2705"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2705\/revisions"}],"predecessor-version":[{"id":15696,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2705\/revisions\/15696"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/2706"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=2705"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=2705"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=2705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}