Starbucks Fixes Vulnerable iOS App, Geolocation Issue Persists

Starbucks has patched a vulnerability in its iOS app that was found spilling user data last week but the researcher that found the vulnerability is still encouraging the company to look at an outstanding geolocation issue present in the app.

Starbucks has patched a vulnerability in its iOS app that was found last week spilling user data, including usernames and passwords, by adding what it’s called an “additional safeguard measure” to protect its customers.

While it’s a relatively quick turnaround for the company – it only took about four days for it to push out a new version of the app – the security researcher who found the vulnerability is encouraging the company to give one remaining issue its fair shake. According to a post on Full Disclosure’s seclists.org Friday, security researcher Daniel Wood is hoping the coffee conglomerate takes a look at an outstanding geolocation issue still present in the application.

The issue isn’t a huge one – Wood says he doesn’t believe it’s even a security concern per se – but that it’s still worth fixing.

It involves a file stored on iOS devices under /Starbucks/Library/Preferences/com.starbucks.mystarbucks.plist that contains the location data of a users’ last logged geolocation. According to Wood the difference between this file and the old file, session.clslog, is that this information is the last location a customer has used their device and not a running log of where customers have been.

“I do recommend that the above issue [with mystarbucks.plist] be remediated within the next release cycle of the mobile application to prevent a customers’ last logged geolocation data from being stored,” Wood said in his write-up.

While the geolocation information is overwritten each time and can’t be used to track user movement patterns over time there’s a chance it could still could be used in coordinating an attack, perhaps in a social engineering capacity.

Last week it was discovered that a file (session.cslog) on version 2.6.1 of the app stored users’ personal information – their username, email address, address, geolocation data and password – in clear text. Starbucks initially dismissed Wood’s report, calling the vulnerabilities “theoretical” and asserting there was “no known impact” to their customers at the time.

The vulnerability was locally exploitable, Starbucks’ servers were never hacked and there was never a chance that users’ credit card info could have been in danger.

Late last week however the company’s Chief Information Officer Curt Garner released a letter to its users assuring them that “out of an abundance of caution” Starbucks was working hard to “accelerate the deployment of an update for the app.”

The company did just that on Friday when it released version 2.6.2 of the app. Now when users open the updated version “it clears session.clslog out, effectively wiping this data off your device,” according to Wood.

“This behavior makes sense as the application is required to run in order to execute the programmatic functions that address the issue of a static file that was being spooled to,” Wood rationalized.

With the updated app, since data elements are no longer being written to the session.clslog file in clear text, users should expect their information will be safe going forward.

Starbucks’ app is one of the most popular apps available for iOS and routinely appears in the Apple’s “Top 100 Free Apps” section. The app lets users connect their Starbucks card to their smartphone, reload funds via credit card and treat the phone like cash in stores worldwide.

Suggested articles