Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Starbucks Phone App Stores Password Unencrypted

timothy posted about 8 months ago | from the don't-spend-it-all-in-one-place dept.

Security 137

JThaddeus writes "The Daily Caller reports a serious security flaw in the Starbucks phone app: 'Starbucks confirmed late Tuesday that anyone could access the unencrypted data stored on the official Starbucks app simply by connecting the phone to a computer – bypassing lock screen or PIN security features with no hacking or jailbreaking necessary.' The linked report is for iOS. No mention of Android, but do you think it is any different?" (Starbucks says they've addressed the problem.)

cancel ×

137 comments

Sorry! There are no comments related to the filter you selected.

When will companies be held liable? (5, Interesting)

Anonymous Coward | about 8 months ago | (#45976887)

When will companies be held liable for implementing incompetent security (or not implementing it all)?

The marketing weenies are all over getting the brand out, but don't give a shit about security.

Companies should be getting fined for crap like this. Between data beaches and gross incompetence at any form of security, trusting a marketing app is the height of stupid.

Re:When will companies be held liable? (5, Insightful)

Sarten-X (1102295) | about 8 months ago | (#45976975)

Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.

There is a case for negligence, but that requires that the negligent party be unreasonably incompetent, and at the moment, most companies with these kind of security problems are performing on par with most of America - the non-techies who don't understand security.

Re:When will companies be held liable? (2)

geogob (569250) | about 8 months ago | (#45977057)

Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.

Have fun trying to sell that to your insurance company.

Re:When will companies be held liable? (2, Interesting)

Anonymous Coward | about 8 months ago | (#45977295)

I don't know where you live, but throughout most of the world content insurance covers theft.

Both break and enter as well as trespassing don't require the door to be locked. Theft doesn't depend on either of the above cases to be met (if your ladder sticks up over your fence, or your lawnmower is sitting on public land (an easement), or your door mat is sitting outside an apartment unit in a common space, theft is still "depriving someone of lawfully acquired property without the permission of the owner nor the intention to return the item without damage or use".

Content insurance is optional for MOST insurance plans, but that doesn't for a second mean it's "not available".

If a thief walked into your home and jacked a TV because a window was left unlocked, and your insurance company denied the claim on those grounds, it's time to change to a new insurance company. They may ask that you do something to prevent such issues from occurring in the future ELSE your rates may go up, but they cannot deny a claim unless they can prove intentional negligence on the owner's part (like hanging a "free" sign on something and wondering why it went missing)

Re:When will companies be held liable? (1)

TheCarp (96830) | about 8 months ago | (#45978435)

However, that isn't really the end of the story is it? After a claim or two it isn't unheard of for an insurance company to drop a customer, or raise rates. It also isn't unheard of for Insurance companies to mandate their customers comply with standards higher than that of legal obligation.

Seems to me it would be perfectly legitimate for an insurance company which insures a company that is distributing software to take appropriate precautions commensurate with industry best practices or else void their policy.

If you want an example of this, many films often license all music clips they use, regardless of whether the length or context would actually require it legally, because the insurance companies will not insure the film producers otherwise.

"Oh you you are being sued over a loss due to software you released which didn't encrypt stored passwords"
"That is correct"
"You are not covered for that; and now your policy is cancelled. Have a nice day."
"Wait; Do you have a policy for that?"
"Yes we do sir, our policy is not to do business with reckless idiots. Can I help you with anything else today?"

Re:When will companies be held liable? (1)

immaterial (1520413) | about 8 months ago | (#45977367)

Did insurance companies become the law while I wasn't looking?

Re:When will companies be held liable? (0)

Anonymous Coward | about 8 months ago | (#45977495)

Yes

Re:When will companies be held liable? (1)

gstoddart (321705) | about 8 months ago | (#45977799)

Did insurance companies become the law while I wasn't looking?

No, but they've been known to deny coverage if they can find any little thing which they can blame on you.

Insurance companies aren't exactly known for playing nice in a lot of cases.

Re:When will companies be held liable? (1)

immaterial (1520413) | about 8 months ago | (#45978049)

Grandparents were discussing legal liability.

Re:When will companies be held liable? (1)

gstoddart (321705) | about 8 months ago | (#45978115)

Grandparents were discussing legal liability.

Correct, but doing it in such a way as to imply that insurance companies care about legal liability, when in fact they only care about their own liability -- if they can get away with denying you coverage they will.

Even if 'technically' the legal liability was with whoever went into your unlocked house.

In other words, legal liability can be detached from what insurance companies are willing to accept, and being right on an abstract point is immaterial. ;-)

Re:When will companies be held liable? (0)

Anonymous Coward | about 8 months ago | (#45977059)

If someone rented an apartment with faulty door locks and got burglarized/assaulted/killed you can bet there would be a negligence suit filed against the property managers.

Re:When will companies be held liable? (2)

gstoddart (321705) | about 8 months ago | (#45977069)

but that requires that the negligent party be unreasonably incompetent

Oh, I don't know ... storing passwords in plain text sounds pretty unreasonably incompetent since we've known for 30+ years it's a stupid idea.

It's not like there should be anybody who doesn't know that yet. At least not anybody you should be trusting to write code.

Re:When will companies be held liable? (2)

aviators99 (895782) | about 8 months ago | (#45977161)

There is a case for negligence

Not if there are no damages. I don't see anything about anyone losing money yet.

Re:When will companies be held liable? (1)

Anonymous Coward | about 8 months ago | (#45977197)

In Quebec, you can get a ticket for leaving your car doors unlocked in public parking lot. To be sure there's no place for discussion, they place the ticket on the dashboard and lock the doors on their way out.

Re:When will companies be held liable? (1)

hjf (703092) | about 8 months ago | (#45978649)

Don't most cars unlock the door if you lock from inside first, and then close the door? Pretty sure at least the driver's door unlocks if you close it locked.

Re:When will companies be held liable? (0)

Anonymous Coward | about 8 months ago | (#45978845)

Source please. That's an incredibly stupid and pointless law if it's true.

Duty of Care (1)

sjbe (173966) | about 8 months ago | (#45977321)

Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.

Even if true (and I don't agree that it is) this is easily remedied through legislation making inadequate care of customer data illegal by statute (negligence per-se). Furthermore there there are a variety of duty of care torts under which a company could be legally charged including potentially fiduciary duty in some cases.

The fact that many companies are incompetent is not a sufficient excuse and should never be regarded as such.

Re:When will companies be held liable? (1)

sunderland56 (621843) | about 8 months ago | (#45977821)

There is a case for negligence, but that requires that the negligent party be unreasonably incompetent

It's 2014. Anyone who stores data unencrypted *IS* unreasonably incompetent.

Starbucks says they've addressed it - but unless they've fired everyone involved (including the managers), they really have not.

Re:When will companies be held liable? (4, Insightful)

dkleinsc (563838) | about 8 months ago | (#45978243)

It's in the same category as leaving a house unlocked.

That analogy is incorrect. In a correct analogy, the locksmith installed a lock that he swore up and down would protect your home, you locked the door thinking you were fine, and then somebody came in and stole a bunch of things. And that would in fact make the locksmith liable, especially if there was a written guarantee on the lock and the locksmith's work (but even if not, there's the implied warranty of merchantability that says that he's still liable).

And as soon as you look at the case that way, Starbucks is being negligent, just like the locksmith was in our analogous scenario. The key factor here is that the victim of the crime is not the person who left themselves vulnerable to it through their own stupidity.

Re:When will companies be held liable? (3, Interesting)

mlts (1038732) | about 8 months ago | (#45977031)

Inductive reasoning states never.

Look at historic security breaches in the past that resulted in massive data compromise. Most companies that were breached are back to their stock norms, or perhaps even higher [1] a few quarters after the incident. Couple this with the belief that security has no ROI...

I wouldn't expect anything to change anytime soon.

[1]: I remember being told by an MBA that all press is good press, so a security breach is still getting a company name in front of people's eyes/ears where they may never have gotten with normal advertising methods.

Re:When will companies be held liable? (1)

Anonymous Coward | about 8 months ago | (#45977205)

So this story means new people are hearing about Starbucks for the first time?

Re:When will companies be held liable? (2)

Antipater (2053064) | about 8 months ago | (#45977303)

Not the company, the app. I know my first thoughts when seeing this story were "Starbucks has an app? What? Why?"

Re:When will companies be held liable? (1)

gstoddart (321705) | about 8 months ago | (#45977517)

"Starbucks has an app? What? Why?"

Marketing, and collecting consumer information. Exactly what most apps are for these days.

Sure, you might get a small discount now and then, but the treasure trove of marketing data is worth far more than that discount is.

Re:When will companies be held liable? (1)

khr (708262) | about 8 months ago | (#45977385)

So this story means new people are hearing about Starbucks for the first time?

Not necessarily for the first time. I wasn't thinking at all about coffee, but now there's an article about a big coffee vendor, so it comes to mind. Maybe I'll stop in on my way home, since I walk past several... (but who am I kidding, they're always crowded and I've never ordered coffee on my own before, so I'm not sure I know how to do that without making a fool of myself...)

Re:When will companies be held liable? (1)

Penguinisto (415985) | about 8 months ago | (#45977083)

Well, it depends on the results. I've never used the app*, but...

If the result is that you get to share in the user's freebie downloads and coupons, then it's Starbucks' problem, and they can eat the results for all I care.

If the result is a compromise of the user's CC info, then yeah, Starbucks needs to not only eat that cost, but forced to eat any associated costs that the ID theft brings about, and then compensate every user generously for his/her time and trouble.

I guess what I'm getting at is this - if the app stores nothing critical to the user (financial info, etc), then fuggit - that's the app maker's problem, and security is not a big deal. But, if the app stores something critical to the user (privacy/HIPAA info, financial info, etc), then the utmost care should be enforced.

* On the personal/user side, this should teach some good lessons as well:
1) I don't have a phone/tablet full of frivolous, stupid-assed apps. Maybe folks will figure this out too?
2) I don't store my financial info on the damned things either.
3) I live in Portland - why the hell would I bother with some corporate chain's coffee when there's way better to be had locally? Maybe it's time people stopped being such sheep about it and seek out the local alternatives if they can be had?

Re:When will companies be held liable? (2)

Flatwater (2169620) | about 8 months ago | (#45977129)

I suspect that if you read the EULA you clicked through, not only did you agree not to hold them liable for their crappy software, you also gave them permission to burn down your house and shoot your dog.

Re:When will companies be held liable? (0)

alen (225700) | about 8 months ago | (#45977145)

from what i read it was only in a log file, not the part where it authorizes your CC
relax

someone would have to steal your phone to take the data off. and anyone on ios 7 which is more iphone users will have find my iphone enabled and will send a remote wipe command.

or just change your passwords once you lose your phone and problem solved

Generally you are right. (0)

Anonymous Coward | about 8 months ago | (#45977329)

Although, Target has been really taking it on the chin the last several weeks and I'm sure they are learning a valuable lesson. Although that was an internal POS system: not a payment app.

Now this Starbucks app, yeah it's a stupid oversight, but how much damage can one do at a Starbucks? Order a really really expensive drink and pastry for an entire car load of people? $50? Yeah, it's like someone picking your pocket of $50 - but still - the indignant outrage over a stupid error that was discovered by s security researcher. The hackers and crooks are out for bigger fish than getting free coffees.

It's not like it's a borrowing app for Bank of America where folks are taking out mortgages in the phone owner's name.

Re:When will companies be held liable? (5, Insightful)

Aaden42 (198257) | about 8 months ago | (#45977451)

Before you have grounds for a suit based on liability, you have to show harm that wasn’t already reimbursed by anyone who you might seek to hold liable.

There’s no “harm” done to you by having your password stored in the clear on your device. If someone got that password, used it to run up charges on your account, then there’s harm done. If Starbucks policy results in you being refunded and not being held accountable for those charges, then there’s still no harm. You’ve already been made whole in monetary terms before any legal proceeding might have commenced, QED no grounds for any legal proceeding.

Also, as others have pointed out, the harm isn’t actually perpetrated by Starbucks in this case. It’s done by whoever got your phone, extracted the password, and used it for mayhem. A defense attorney for Starbucks would make a (rather valid IMHO) argument that by allowing someone else to take your phone and plug it into their computer, you failed to take reasonable actions to secure your own system. At best, Starbucks is responsible for only a portion of the liability, and then you’re talking civil juries deciding percentages of fault to assign damages.

I do think the “left your house unlocked, got robbed” analogy is a bit off for this though. As far as the user could reasonably know, setting a lock code on your phone should be enough to qualify as “locking the house.” Unbeknownst to the user/homeowner, there was a flaw in the lock that allowed it to be trivially picked even if it was properly locked. Some liability is due the lock maker in this case, as it could be reasonably argued the product wasn’t fit for the purpose it was sold. I don’t think that applies quite as cleanly to Starbucks in this case as 1) the app is free (not sold), and 2) the app’s purpose for which it’s marketed isn’t to keep your password secure. That’s something one might expect/hope of it, but it’s a stretch to turn that expectation into grounds for a lawsuit.

The harm in any such case is likely to be well below that of the legal fees to pursue it unless you manage to get them on some statutory minimum penalties (in excess of the actual value of the harm) or turn it into a class action which would require significant numbers of people who were actually harmed (their passwords were used). I’m not aware of any such statute for something like this. Maybe some kind of treble damages thing for gross negligence, but you’re still talking triple the cost of a couple of cups of coffee, so not something worth suing over. Given how trivially, stupidly easy it is in iOS to store a password like this in Keychain in such a way that it can’t be dumped by simply plugging in the device, calling this gross negligence isn’t much of a stretch.

The only way to fix something like this would be to pass new legislation that specifically creates a tort for the act of storing user’s credentials (or perhaps PII in general) in an insecure manner. I’d personally like to see that done, but the details of how to define “a secure manner” and what information should be covered would take a lot of work to hash to prevent loopholes or making it so onerous that developers couldn’t actually comply with it for any non-trivial app.

Re:When will companies be held liable? (1)

BronsCon (927697) | about 8 months ago | (#45977733)

Before you have grounds for a suit based on liability, you have to show harm that wasn’t already reimbursed by anyone who you might seek to hold liable.

Typically, you'd acquire a coffee shop's grounds from their refuse receptacle, but, as Starbucks is known to recycle their grounds, that might make holding them liable for anything slightly more difficult.

And yes, I'm going for a "Funny" mod here.

Re:When will companies be held liable? (1)

TheloniousToady (3343045) | about 8 months ago | (#45978329)

If Starbucks offers no grounds for a suit based on liability, at least a tailor's shop is grounds for a suit based on wool.

(I'm going for "Funny" too, but neither one of us is likely to get it. :-)

Re:When will companies be held liable? (1)

flyingfsck (986395) | about 8 months ago | (#45977467)

Why would anyone use a Starbucks app? My guess is that the security hole affected at most two people: The Starbucks marketing manager who wanted it and the guy who developed it.

Re:When will companies be held liable? (3, Informative)

Jason Levine (196982) | about 8 months ago | (#45977623)

I can't speak to the iOS installations, but Google Play reports that the Starbucks app has between 1 million and 5 million installs: https://play.google.com/store/apps/details?id=com.starbucks.mobilecard [google.com]

If iOS has a similar installation base, we're talking somewhere between 1 million and 10 million affected users.

Re:Android security (1)

kbdd (823155) | about 8 months ago | (#45977817)

On my Android phone (Moto Droid Razr), the flash storage is not accessible via USB until I unlock the phone. Of course, the SD card could be removed, but most applications store to the internal flash by default, so there is at least a moderate level of protection against that kind of attack on Android.

Re: Android security (0)

Anonymous Coward | about 8 months ago | (#45978453)

At least on iOS 7, not only do you need to unlock the phone, you need to opt in to rusting the computer.

So it's really only an issue on devices running 6 or earlier that aren't in supervised mode (20%) or not having a passcode set at all (likely 40% or so)

That's a significant fraction of the devices out there, but for most it's within the phone owners power to fix

Re:When will companies be held liable? (1)

timmyf2371 (586051) | about 8 months ago | (#45978183)

My main reason for using the Starbucks app is so that I don't have yet another card taking up space in my wallet (by using a Starbucks card you get a free drink every so often, as well as eligibility for gold membership which gives you free syrups and extra shots).

More importantly though, why do you think this only affected two people? Even computer novices know how to use a smartphone and I think you would be surprised at how often I see some old geezer using an app to pay for something or check in somewhere.

Most popular smartphone payment app (3, Informative)

sjbe (173966) | about 8 months ago | (#45978627)

Why would anyone use a Starbucks app? My guess is that the security hole affected at most two people: The Starbucks marketing manager who wanted it and the guy who developed it.

The Starbucks app is THE most popular smartphone payment app for retailers out there. It allows you to bring up a barcode on your smartphone screen to pay. On the iPhone it also is aware of when you walk into a Starbucks location and you do not even have to pull up the app thanks to the Passbook on the iphone. You just swipe the screen and it brings the barcode up for payment. Very easy to use and faster than cash or credit card. Payment is behind the scenes with an credit card attached to a Starbucks card. You can have multiple cards and transfer balances between them. If you want to see the future of using a smartphone to pay for products, you should be looking at this app. Starbucks is way ahead of anyone else in implementing this stuff. If you actually go into a Starbucks you'll almost certainly see someone using their smartphone to pay for their drinks.

No I don't work for Starbucks and I'm not promoting or disparaging the product. Merely describing what Starbucks has done. It is attention worthy whether you like Starbucks or not.

Re:When will companies be held liable? (0)

Anonymous Coward | about 8 months ago | (#45977633)

When will companies be held liable for implementing incompetent security (or not implementing it all)?

The marketing weenies are all over getting the brand out, but don't give a shit about security.

Companies should be getting fined for crap like this. Between data beaches and gross incompetence at any form of security, trusting a marketing app is the height of stupid.

Fined? For what, a lack of a security breach?

Are you about to punish me for something my software...might do?

As much as I'd like to see stronger security standards, I hope you get my point here. Punishing companies or people for non-events is a dangerous slope, but let me know as soon as that becomes the norm. I'll go get my PhD in FUD and become a fucking rock star.

And if trusting a marketing app is the height of stupid, then please let me know which one of those apps isn't a fucking marketing app, because I'm feeling awfully fucking stupid over here with the current batch of marketing crap installed by default.

Think ahead just one more step (0)

Anonymous Coward | about 8 months ago | (#45977691)

1. Companies start being held liable for app security.
2. Starbucks stores conveniently work properly with some app released by an anonymous guy online you can't sue.

IMHO the height of stupid is trusting anything important whatsoever to closed-source software with no guarantees or accountability. Do you REALLY need an app to buy coffee?

They already are (1)

Chemisor (97276) | about 8 months ago | (#45977703)

Companies already are held liable for implementing incompetent security, and are punished by their customers who stop buying their shoddy product, and possibly all their other products, whether shoddy or not. This is already the worst thing you can do to a company.

Re:When will companies be held liable? (0)

Anonymous Coward | about 8 months ago | (#45977845)

Companies will be held liable when software engineers are held to the same ethical and responsibility level as licensed professional engineers. But expect the cost of software to go up exponentially.

Bad Coffee, Bad App (4, Insightful)

Anonymous Coward | about 8 months ago | (#45976893)

What's the difference? Patronize a local shop that doesn't over-roast the coffee.

Re:Bad Coffee, Bad App (4, Interesting)

malakai (136531) | about 8 months ago | (#45977143)

Love my mocha's. Can't tell you how many times I got to a 'local' coffee house and get a crap mocha. Some like to put store bought chocolate syrup in it, others like to add a mocha powder without first turning it into a wet paste. I've had Swiss Miss packets added to a late and told this was their 'Cafe Mocha'.

All in all, I can count on one hand the number of good cafe mocha's I've had at 'local' coffee houses.

On the other hand, every Starbucks I got into, anywhere in the world, seems to have the same Cafe Mocha. It's as if they had a recipe and the barista's were trained to make it. I like being in a town for the first time in my life, finding a Starbucks and feeling a little bit like being at home.

In the end, I reward any store on it's quality, I don't stereotype a store based on it's number of locations or perceived local community value. Would you patron a crap restaurant just because it's "local"?

Re:Bad Coffee, Bad App (4, Insightful)

hawguy (1600213) | about 8 months ago | (#45977297)

Love my mocha's. Can't tell you how many times I got to a 'local' coffee house and get a crap mocha. Some like to put store bought chocolate syrup in it, others like to add a mocha powder without first turning it into a wet paste. I've had Swiss Miss packets added to a late and told this was their 'Cafe Mocha'.

All in all, I can count on one hand the number of good cafe mocha's I've had at 'local' coffee houses.

On the other hand, every Starbucks I got into, anywhere in the world, seems to have the same Cafe Mocha. It's as if they had a recipe and the barista's were trained to make it. I like being in a town for the first time in my life, finding a Starbucks and feeling a little bit like being at home.

In the end, I reward any store on it's quality, I don't stereotype a store based on it's number of locations or perceived local community value. Would you patron a crap restaurant just because it's "local"?

I think you are confusing quality with consistency... At Starbucks you are getting a known quality, it may not always be the best but its always the same. Independent places can be hit and mis, but usually once you find one that makes a product you like, its always good there. I have a good number of coffee shop choices and I go to one for a good latte and another for a good iced coffee (with coffee ice cubes too). But when I travel I usually go to Starbucks because I know its the same everywhere.

Quality is a complicated thing (3, Insightful)

sjbe (173966) | about 8 months ago | (#45977563)

I think you are confusing quality with consistency...At Starbucks you are getting a known quality, it may not always be the best but its always the same. Independent places can be hit and mis, but usually once you find one that makes a product you like, its always good there

And you seem to be confusing quality with preference. Preference can be a component of quality but quality is more complex and some aspects of quality have a strong subjective component. Part of quality is fitness for a particular purpose, part of it is consistency of output, part of it is the relative superiority of the product, part of it is conformance to specifications, etc. Reliability, sustainability, serviceability and other factors may play a role.

You cannot really define quality solely in terms of customer preferences because customers often prefer things that are objectively inferior or even dangerous by some measure. We have customers at my company all the time that specify products that if built to their specs would not meet industry standards would fail in the field. What the customer thinks they want isn't always what they actually want.

When it comes to Starbucks products, they have very good quality by some measures. Their quality on more subjective measures depends on who is doing the evaluation. Obviously a lot of people like their products and are willing to pay a lot for them. Others not so much. I think a lot of people just dislike Starbucks not so much based on their merits of their products but rather based on a more vague dislike of the corporation or the experience of the place.

Re:Bad Coffee, Bad App (1)

DerekLyons (302214) | about 8 months ago | (#45978193)

At Starbucks you are getting a known quality, it may not always be the best but its always the same. Independent places can be hit and mis, but usually once you find one that makes a product you like, its always good there.

Independent places, in my experience, tend to be hit-or-miss at all scales... from the store, to the shift, to the barista/cook/whatever actually doing the work when you place your order.

Re:Bad Coffee, Bad App (0)

Anonymous Coward | about 8 months ago | (#45977985)

Love my mocha's.

Fag.

Re:Bad Coffee, Bad App (1)

Grizzley9 (1407005) | about 8 months ago | (#45978739)

Edit: replace mocha with hamburgers and Starbucks with McDonalds. Sometimes you don't want risk and just trust the consistency of a large brand. (not that I would approve of either company in this case) But consistency isn't quality.

Re:Bad Coffee, Bad App (2)

Joce640k (829181) | about 8 months ago | (#45977877)

Yep.

Why on earth would anybody need a "Starbucks App". With sensitive information in it, and a password.

What information is there to hack? If it's anything more than where the nearest store is and you coffee preference then you're DOING IT WRONG.

Hard to have this happen on Android... (3, Interesting)

mlts (1038732) | about 8 months ago | (#45976943)

On Android, a phone will appear as a storage device or camera, unless someone enables debugging and authorizes a computer with its individual key to connect.

I don't see how an app could get data to a computer from a locked Android device unless the app managed to get itself root, or there was some other trick to break into the Android device (physical dumping the RAM), and if an attacker is that sophisticated, pretty much what an app tries to do for security is pointless.

Re:Hard to have this happen on Android... (1)

aaarrrgggh (9205) | about 8 months ago | (#45977179)

The flaw is apparently exposed by the crash reporting software on iOS; not sure why Android would be protected inherently.

Re:Hard to have this happen on Android... (0)

Sockatume (732728) | about 8 months ago | (#45977225)

To use an Android analogy, they were storing the passwords etc. in plain text on the phone's memory card with the app's data files, so when the phone was connected to a computer and was mounted as a storage device, it was completely trivial to read it. The developers seemed to assume that because their app can't read any other app's folders (sandboxing), those folders were completely inaccessible to anything but the app that they belong to. Unfortunately that whole space is mounted and made available to the host PC every time the iPhone is plugged in. You can use iFunbox etc. to screw around in those folders to your heart's content. (Which is actually useful if you want to back up a save file or something.)

Re:Hard to have this happen on Android... (4, Informative)

Sockatume (732728) | about 8 months ago | (#45977235)

This is wrong and should be ignored. It's not stored unencrypted in the app's data folders; it's sent unencrypted to the debug log, which is also readable to anyone on the host PC.

Re:Hard to have this happen on Android... (1)

wonkey_monkey (2592601) | about 8 months ago | (#45977705)

which is also readable to anyone on the host PC.

So that's what is meant by "bypassing lock screen or PIN security features"?

Re:Hard to have this happen on Android... (2)

immaterial (1520413) | about 8 months ago | (#45977345)

The summary is wrong. If you dig back to the original ComputerWorld article, it says, "The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary." Nothing about bypassing the pin in a locked phone like the summary or shitty article the summary links to; you have to connect the phone to a computer, have it unlocked, and allow the computer access to the phone (this applies to iOS as well as Android). Even the ComputerWorld article's mention of jailbreaking is a bit of a non-sequitur.

Re:Hard to have this happen on Android... (3, Informative)

immaterial (1520413) | about 8 months ago | (#45977435)

My mistake - I didn't notice the CW article had multiple pages (derp). It does say this:

Do you feel secure because you use PIN protection on your phone? You shouldn't, says Wood. "You don't need a user's PIN in order to pull raw data off the phone using the tool and methods I have used," he said. "So if a user's phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file."

However, I don't buy it. If this researcher has found a way to bypass the hardware encryption on a locked iOS device, that sounds like a bigger and more interesting security hole than one in a shitty Starbucks app.

Re:Hard to have this happen on Android... (1)

gstoddart (321705) | about 8 months ago | (#45977617)

However, I don't buy it. If this researcher has found a way to bypass the hardware encryption on a locked iOS device, that sounds like a bigger and more interesting security hole than one in a shitty Starbucks app.

Ummm ... except law enforcement has been able to do this for some time now [forbes.com] .

I think it's even been covered here -- I didn't think it was news.

Re:Hard to have this happen on Android... (1)

immaterial (1520413) | about 8 months ago | (#45978993)

The article you linked to describes phones with no passcode, or law enforcement brute-forcing the passcode (with a 4 digit code, not terribly difficult). One of its citations describes a tool that doesn't work on modern devices at all. And ultimately when police can't get in using the brute-force methods, they have to send the phone to Apple along with a warrant and Apple has some way to decrypt the system (iirc from earlier articles they also brute-force the pin, just more efficiently by bypassing much of the os & firmware). There's no evidence in that article or elsewhere that law enforcement can bypass the hardware encryption.

Re:Hard to have this happen on Android... (2)

swinefc (91418) | about 8 months ago | (#45977369)

iOS is actually very similar. Without an application like PhoneView or Xcode, just connecting a device will not provide obvious access to per application data that is not explicitly shared. If the device is locked, then access is unavailable even to those methods. If the application itself requested data protection, then even physical access to the flash chips would prove useless. Of course, a developer who decided to store everything in plain text would probably not take the extra strep to request encryption. I just wonder why they didn't use the system Keychain. Easy to use and the OS takes care of all these problems.

Android question... I realize that an app by default doesn't have access to other app's per user data, but can an app request root or access an other's data in a permissions request presented to the user? My concern with Android security has always been that lay people do not read or even understand the implications of permission dialogs presented to them. So, could another malicious app gain access to the Starbucks data through laziness or ignorance of the user?
 

Re:Hard to have this happen on Android... (1)

gnasher719 (869701) | about 8 months ago | (#45977515)

iOS is actually very similar. Without an application like PhoneView or Xcode, just connecting a device will not provide obvious access to per application data that is not explicitly shared. If the device is locked, then access is unavailable even to those methods. If the application itself requested data protection, then even physical access to the flash chips would prove useless. Of course, a developer who decided to store everything in plain text would probably not take the extra strep to request encryption. I just wonder why they didn't use the system Keychain. Easy to use and the OS takes care of all these problems.

First, everything is always encrypted on the iPhone. With no passcode, that doesn't help much because the iPhone itself can read the data. With passcode set, the iPhone needs the passcode to read the data and no way around that. In addition, apps can request that a file is encrypted with a different key, which means the passcode needs to be entered _for that file_. And there's the keychain of course.

Security risks are: Unencrypted backups to iTunes (there's a switch "encrypt backups". Turn it on). And as the case here, crash reporting or logging software that leaks information. Or having a phone without passcode.

Re:Hard to have this happen on Android... (1)

swinefc (91418) | about 8 months ago | (#45978277)

Thank you. I didn't realize device specific keys are fused into the processor itself. This would, of course, render my comment about access to the flash chips incorrect.

Storing it in the keychain (with the correct protection class) would prevent access even for an unencrypted backup.

Also, specifically asking for per file data protection would prevent access for an unencrypted backup.

Basically, doing anything other than the bare minimum would have prevented access to the Starbucks data.

Does anyone have any answers for my Android question?

Re:Hard to have this happen on Android... (1)

Bungie (192858) | about 8 months ago | (#45978727)

As far as I know you cannot have an application request root on Android unless it's jailbroken. Only a few system apps have root access (like play store). Once the device is jailbroken there is a system app which can elevate root via a user dialog.

Re:Hard to have this happen on Android... (0)

girlintraining (1395911) | about 8 months ago | (#45977485)

I don't see how an app could get data to a computer from a locked Android device unless the app managed to get itself root, or there was some other trick to break into the Android device (physical dumping the RAM), and if an attacker is that sophisticated, pretty much what an app tries to do for security is pointless.

That doesn't seem terribly convenient. Why don't they do it like Apple does? /snark

Re:Hard to have this happen on Android... (2)

immaterial (1520413) | about 8 months ago | (#45977609)

"If this post is marked Troll, I pissed off a fanboy again." Or maybe you made a snarky post falsely implying Apple doesn't do exactly the same thing, even though they do?

Re:Hard to have this happen on Android... (1)

girlintraining (1395911) | about 8 months ago | (#45978497)

"If this post is marked Troll, I pissed off a fanboy again." Or maybe you made a snarky post falsely implying Apple doesn't do exactly the same thing, even though they do?

Except they don't. Plug in an iPhone and it'll immediately dump its guts to whatever its connected to without requiring interaction with the device itself. It does this by default. Android does not.

Re:Hard to have this happen on Android... (0)

Anonymous Coward | about 8 months ago | (#45977537)

Yes, we all know that Android & Linux have no vulnerabilities.

This security feature is new in 4.2 (1)

tepples (727027) | about 8 months ago | (#45977785)

unless someone enables debugging and authorizes a computer with its individual key to connect.

Authorizing an individual computer wasn't introduced until around 4.2 (Jelly Bean 2) or thereabouts [androidpolice.com] . There are still Android devices in use running older operating systems whose manufacturer declines to update the operating system.

omg starbucks gift card numbers at risk (0)

Anonymous Coward | about 8 months ago | (#45976955)

Correct me if I am wrong, but the phone holds starbucks cards, not credit cards. You connect to starbucks.com to "register" and to setup auto-reload on your starbucks card, in order to earn points. The website caches the CC numbers, the phone holds the starbucks card.

even better... you phone put's your starbucks card in a PDF417 barcode format, making it vulnerable to ocular attack. I could snap a picture of your barcode, and get the benefits of your "auto-reload" starbucks card, and I get free coffee on your dime.

Re:omg starbucks gift card numbers at risk (1)

hawguy (1600213) | about 8 months ago | (#45977323)

Correct me if I am wrong, but the phone holds starbucks cards, not credit cards. You connect to starbucks.com to "register" and to setup auto-reload on your starbucks card, in order to earn points. The website caches the CC numbers, the phone holds the starbucks card.

even better... you phone put's your starbucks card in a PDF417 barcode format, making it vulnerable to ocular attack. I could snap a picture of your barcode, and get the benefits of your "auto-reload" starbucks card, and I get free coffee on your dime.

That's what I was thinking.... Not a huge risk and not what I'd be worried about if someone stole my $600 phone. The card number is printed right on the card so its no more risk than if they stole my wallet.

Re:omg starbucks gift card numbers at risk (2)

BronsCon (927697) | about 8 months ago | (#45978203)

The app also links to one or more credit cards, to refill the Starbucks cards. Seems to me that, if I had your password, I could add my own Starbucks card to your app, transfer all your card balances to it, load it up from your credit card(s), and remove it from your app. And hey, wouldja lookit that? I just emptied out your checking account because one of those credit cards was actually a Visa check card. Oh damn.

I use the Starbucks app, but will remove it from my phone now, until this issue has been provably fixed (and not just a "we've fixed it" from the marketing monkeys who caused it to begin with).

Android? (0)

Anonymous Coward | about 8 months ago | (#45976965)

Well if the android version of this app works as it should, the information would be stored in a non-accessable location requiring a root enabled browser to navigate to it, thus making it basically "not there" when connected to a windows PC.

But.....

Who the hell wants a starbucks app, on any device?

Is this really a surprise? (5, Insightful)

Akratist (1080775) | about 8 months ago | (#45976973)

Anyone who's ever worked in software has to realize that the incompetent pinheads that they've worked with before are still floating around out there, doing ever more damage, instead of just fading away and working as a greeter at Wal-Mart. I've worked with people whose code was terrible, at best, and who were barely able to get their crap to compile. I've also worked with people who had no concept of security (including storing plain text passwords). They've moved on to other software positions, and are still writing bad code for some surprisingly large names. And then, there's the pressure factor. I was once asked to implement a feature that the same as removing any user validation from a high-dollar enterprise app. I flatly refused, because I could pretty much walk out and be in another job within a couple of days. Would a person who is on edge of technical incompetency, and knowing their prospects are limited, take the same position? No, they'll say "Yes sir!", bang that code out, and move on to the next debacle. Good management would alleviate this, but let's face it -- bad managers are a dime a dozen, too.

Re:Is this really a surprise? (0)

Anonymous Coward | about 8 months ago | (#45977073)

Actually, I've worked in software a long time, and I don't think that even the most incompetent of pinheads I've met over the years would allow an app to be released with unencrypted password storage. I mean, even the most inexperienced, irresponsible, unmotivated programmer should know better.

Re:Is this really a surprise? (1)

aaarrrgggh (9205) | about 8 months ago | (#45977229)

The system of logic likely starts with the fact that it is low-value transactions, and a limited maximum stored value. Hey, it's more secure than a credit card, right? Then you get creep...

The Starbucks app has much worse security problems; a photo of the 2D barcode cannot be revoked as a valid credential.

Re:Is this really a surprise? (1)

egranlund (1827406) | about 8 months ago | (#45977903)

The Starbucks app has much worse security problems; a photo of the 2D barcode cannot be revoked as a valid credential.

In the Starbucks app you can create a new card and then delete the old one. Or just go purchase another card and add it into the Starbucks app.

Re:Is this really a surprise? (0)

Anonymous Coward | about 8 months ago | (#45977259)

Actually, I've worked in software a long time, and I don't think that even the most incompetent of pinheads I've met over the years would allow an app to be released with unencrypted password storage. I mean, even the most inexperienced, irresponsible, unmotivated programmer should know better.

Does Starbucks allow some manner of encryption in their API that allows the user to store a password on the device but have that storage be completely worthless to anyone with physical access to the device?

If not, then there is no way to truly bulletproof their password storage for the same reasons unbreakable DRM involving locally-stored keys is impossible. At some point the app will need some token to given to the server, and that token will need to be generated somehow. If the password's encrypted on the device, the device will need to decrypt it somehow before sending it out to the server. If it has the ability to send out the encrypted string, someone can just intercept that string and send it out. If there's a form of public-key system in place, having physical access to the device means the attacker has access to the keys to manipulate the encryption AND the password string. If the app just stores a session token, the token's expiration will remove the convenience of storing the password in the first place. If the attacker doesn't have physical access to the device, how the app stores the password internally is irrelevant.

Re:Is this really a surprise? (0)

Anonymous Coward | about 8 months ago | (#45977309)

Apparently you've worked with smarter people than the rest of us. Good for you, but your experience isn't typical.

Re:Is this really a surprise? (1)

skids (119237) | about 8 months ago | (#45977725)

It goes like this:

PHB: So how's that App coming.
Coder: It is basically functional but we still need to work on the securi...
PHB: SHIP IT!

Re:Is this really a surprise? (0)

Anonymous Coward | about 8 months ago | (#45977203)

You don't refuse, you just CC the legal dept. and ask if they have sufficient insurance to cover the consequences...

Re:Is this really a surprise? (2)

dkleinsc (563838) | about 8 months ago | (#45978459)

Funny story about this point (anonymized to protect the guilty): A former coworker described working with a guy about 5 years ago who wasn't familiar with the concept of an "array", or in fact much else that would imply any kind of structure or competence. He lasted about 3-5 days before he was caught. Well, I decided to move on, and landed a position in another organization, and lo and behold that same guy had been their sole developer for 4 years! In addition, he'd done some work for some small businesses on the side, and screwed up their stuff too.

So don't hate these people too much: Reasonably competent people like me can make very good money cleaning up their messes!

I'm Up In Yer iPhone (0)

Anonymous Coward | about 8 months ago | (#45977013)

I'm up in yer iPhone, orderin up the moca-choca-grande-blizatte-frappafuckarino and chargin it to your CC.

I can't wait to see the deluge of hipster outrage conflicting with the hipster Starbucks loyalty. Heads will be exploding all over the place.

My Order (2)

slapout (93640) | about 8 months ago | (#45977063)

Yeah, I'd like a Venti Latte with a shot of espresso and a shot of security vulnerabilities.

Re:My Order (0)

Anonymous Coward | about 8 months ago | (#45977243)

I just imagined someone stealing a phone with this app, walking into a SB, ordering 20 Venti double mocha orange frapachinos, dance to "Wake Me Up Before you Go Go" by Wham! and dying from a heart attack.

Re:My Order (0)

Anonymous Coward | about 8 months ago | (#45977289)

What might a Starbucks app actually do that needs a password?

Re:My Order (0)

Anonymous Coward | about 8 months ago | (#45977437)

The only thing it does is that you can register gift cards with it and someone could charge Starbucks purchases to the phone for whatever the balance is. No great shakes but it's still sloppy. But I know where you're going with this... Some people are acting like it's an open door to serious identity theft. Most of those same people are using this story as a springboard to fly into a rant against Starbucks on totally unrelated matters. I swear it just never ends.
 
Different Day, Same Slashdot.

Nobody gives a fuck (4, Insightful)

Anonymous Coward | about 8 months ago | (#45977071)

If you're concerned about data security, you don't have meaningful data on your phone. Most smartphone apps wouldn't pass as prototypes in any serious environment. The entire system is made to look nice first, functionality is a distant second and security doesn't even make the list. Users do not care. It's like credit cards: Convenience trumps all.

Re:Nobody gives a fuck (1)

Jeff Flanagan (2981883) | about 8 months ago | (#45978035)

Quoting the wise AC to get this a little more visible:

If you're concerned about data security, you don't have meaningful data on your phone. Most smartphone apps wouldn't pass as prototypes in any serious environment. The entire system is made to look nice first, functionality is a distant second and security doesn't even make the list. Users do not care. It's like credit cards: Convenience trumps all.

Don't like coffe... (0)

Anonymous Coward | about 8 months ago | (#45977221)

I prefer whisky... and don't like smartphones either, so yeah...

Captcha: critique

A bit over-sensationalized (3, Insightful)

aviators99 (895782) | about 8 months ago | (#45977237)

First, there's no question that this is an example of a horrible design, and a security flaw that should be fixed.

But the article is way over-the-top. It talks about "credit card numbers", pretty much implying that they are in clear text (TFA, not the actual report). Credit card numbers are not stored in clear text, nor would the clear text credentials give you access to the credit card numbers.

Also, this is really an article about bypassing the lock code, and nothing else. Physical access to a computer (phone) can eventually get you more sensitive stuff than a cup of coffee.

Re:A bit over-sensationalized (2)

Anonymous Psychopath (18031) | about 8 months ago | (#45977611)

First, there's no question that this is an example of a horrible design, and a security flaw that should be fixed.

But the article is way over-the-top. It talks about "credit card numbers", pretty much implying that they are in clear text (TFA, not the actual report). Credit card numbers are not stored in clear text, nor would the clear text credentials give you access to the credit card numbers.

Also, this is really an article about bypassing the lock code, and nothing else. Physical access to a computer (phone) can eventually get you more sensitive stuff than a cup of coffee.

I don't think credit card numbers are used by the app, anyway. All it has is my Starbucks card linked to it, which in turn is linked to my credit card. But that's on their web site, not the phone app. Not saying they're doing any better of a job storing my credit card information in their back-end databases, but I'm reasonably sure it's not stored on my phone.

Re:A bit over-sensationalized (2)

gstoddart (321705) | about 8 months ago | (#45977697)

I don't think credit card numbers are used by the app, anyway. All it has is my Starbucks card linked to it, which in turn is linked to my credit card. But that's on their web site, not the phone app.

So, the question one needs to ask is ... if the website is storing your credit card, and the app is storing your password in plaintext ... given your password and knowledge of your Starbucks card (which is apparently on the phone), can someone get into the Starbucks website and actually get to your credit card?

In which case, this would be a security risk because you're only really one hop from the CC info.

If this password is also how you log into the website, then it's still terrible security and not really going to deter anybody.

Re:A bit over-sensationalized (1)

aviators99 (895782) | about 8 months ago | (#45977773)

AFIAK, the website doesn't allow you to retrieve your credit card; just change it.

Not as retro as I hoped (1)

wonkey_monkey (2592601) | about 8 months ago | (#45977657)

simply by connecting the phone to a computer

On first read I thought someone had hacked into their servers over dial-up, but it wasn't that interesting.

Always look at the app requirements (2)

magarity (164372) | about 8 months ago | (#45977677)

The Starbuck's app requirement list clearly indicates all kinds of terrible behavio including it needs to be able to make calls and read your contacts list. There may be more, but after those two I stopped reading and declined to install. A vendor's app has no need to do these things. I figured if they're already that bad, there's no telling what mischief their app might get up to.

That's a Feature (4, Insightful)

TangoMargarine (1617195) | about 8 months ago | (#45977803)

Firefox (unless you turn on the master password) and Pidgin also store passwords in cleartext. The Pidgin devs explained that this is because they don't want to implement security through obscurity, as anyone with access to the stored plaintext xml file already has access to your computer anyway and could presumably decrypt it if they tried to secure it anyway.

Admittedly, it's a bit different when we're talking about cell phones.

Re:That's a Feature (1)

Palinchron (924876) | about 8 months ago | (#45978961)

Why exactly is it different when talking about cellphones? The exact same approach still works. What could Starbucks do to improve on this?

Dumping username/password/oauth tokens - bad (0)

Anonymous Coward | about 8 months ago | (#45977885)

A verbose disclosure

http://seclists.org/fulldisclosure/2014/Jan/64

Re:Dumping username/password/oauth tokens - bad (0)

Anonymous Coward | about 8 months ago | (#45977917)

A verbose disclosure

http://seclists.org/fulldisclosure/2014/Jan/64

rather.... dumping username/password/oauthtokens to log files is bad

Oh no! (1)

viperidaenz (2515578) | about 8 months ago | (#45978053)

Someone might steal your phone then... buy you a coffee?

Android seems ok (1)

GweeDo (127172) | about 8 months ago | (#45978847)

I didn't spend much time on it, but this doesn't seem to be the case on Android. First of all, they never store things outside of /data/data/com.starbucks.mobilecard. So only a root application would be able to read things. Secondly, the main sqlite database they seem to be storing things in is encrypted.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?