A vulnerability in Starbucks’ mobile app could be putting coffee drinkers’ information–including their usernames, email addresses and passwords–at risk.
The problem stems from the way session.clslog, the Crashlytics log file, handles those credentials in the event of a crash. Within the file there are “multiple instances” where the credentials are stored in clear text, something that could allow attackers to recover and later leverage the information to access a users’ account, either on the device in question or online at Starbucks’ account log-in page.
The vulnerability exists in the most recent build of the app, version 2.6.1 for iOS.
Starbucks’ app lets users connect their Starbucks card to their smartphone, reload funds via Paypal or credit card and allows them to treat the device like cash in stores worldwide. Ardent java fans can manage their card through the app and accrue Rewards with each purchase.
Daniel Wood, a Minneapolis-based security researcher and pen tester discovered the vulnerability last year, reported it to Starbucks in December but has yet to hear from the company regarding a fix.
It wasn’t until Monday however that Wood went public and published his findings on seclists.org’s Full Disclosure.
According to Wood, the file, which can be found at /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog, contains more than just the user’s login information.
In re-testing the vulnerability last night Wood discovered that the user’s full name, address, device ID and geolocation data are all being stored in clear text as well. This information popped up after Wood reinstalled the app and monitored the session.cslog file during user signup.
Wood also found the app’s OAuth token and the OAuth signature attached to the device in question.
“It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service,” Wood said in his write-up.
It’s unclear if a fix is in the works for the app but Starbucks hasn’t released an update since May 2, 2013.
Wood, a member of Open Web Application Security Project (OWASP), recommends future versions of the app adhere to best practices.
In this case, Starbucks should filter and sanitize data upon output “to prevent these data elements from being stored in the Crashlytics log files in clear text, if at all,” Wood writes in his disclosure.
When reached Wednesday, Crashlytics, a Boston-based firm that specializes in crash reporting solutions, couldn’t comment on specific customers but did reiterate that the firm doesn’t recommend developers log sensitive information.
Crashlytics Cofounder Wayne Chang said via email that the issue appears to involve one of the service’s plaintext logging features and that Crashlytics doesn’t collect usernames or passwords automatically. The feature, CLSLog, is an “optional feature that developers can use to log additional information.”
Wood admits he’s only done static analysis of the application so far and has yet to examine network traffic but suspects there is a privacy issue.
“During my static analysis I noticed some JSON requests which contain some sensitive data in the request,” Wood said, suggesting a vulnerability could be present.
Maggie Jantzen, a spokeswoman for Starbucks claimed the company was aware of Wood’s research and what it has deemed “theoretical vulnerabilities” but insisted Wednesday that there isn’t a direct impact to its customers at this time.
“To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way,” Jantzen said.