App security has become a sensitive topic as more and more private information is being shared by users. Even minor vulnerabilities can be exploited and used to harvest sensitive data for criminal or commercial purposes. The latest high-profile loophole was exposed in the Starbucks iOS app.
The vulnerability was found by Daniel E. Wood, a security expert who researches and shares information on the net. His blog post explained the problem with the Starbucks iOS app, which saved user data elements in an insecure way.
Thousands of Starbucks customers who use the app to send eGifts or make payments were taken aback with the revelations. The global coffee giant didn’t waste any time and delivered a safer version of the app within days.
The research uncovered a serious vulnerability that leaks user information such as passwords, usernames and even geolocation data. The root of the problem was session.clslog, a Crashlytics log file that handles credentials in the event of a system crash. This file was found to store the personal data in clear text, making privacy theft a very possible outcome.
Wood, a pentester based in Minneapolis, located this loophole in 2013 and reported his findings to Starbucks. But a lack of response from the commercial giant led him to publish his research on SecLists.org blog. Full Disclosure exposed how Starbucks customer’s data was saved in text format and how hackers could potentially harvest the information easily.
The publication triggered a huge backlash from customers, causing Starbucks to issue a new software version of their iOS app. The new Version 2.6.2 was released just days after the blog post findings went viral. Starbucks users are advised to update their old Version 2.6.1 app. This will clear the existing session.clslog file, wiping out all sensitive information.
Wood is now pointing at a minor geolocation tagging issue with the application in his follow-up research. The last location of the user is still saved by the app, but it no longer appears as an accessible log that can be exploited for commercial purposes. Still a favorite in the “Top 100 Free Apps” section of the iOS Store, the Starbucks app is now less vulnerable.
Source – Starbucks Fixes Vulnerable iOS App