So, an automation professional goes to the local Starbucks to purchase his tall latte and uses his iOS mobile application which has the same password as everything else he uses.
That is where the fun can begin because as it turns out, Starbucks’ iOS mobile application stores users’ usernames, email address and passwords in clear text, a security researcher found and he has been trying to share this discovery with the company for months.
After repeatedly ending up in customer service, Daniel Wood decided to go public with his discovery on the Full Disclosure mailing list.
“Username, email address, and password elements are being stored in clear-text in the session.clslog Crashlytics log file,” he said. “Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at https://www.starbucks.com/account/signin. It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service.”
The danger lies mostly in the fact the app can perform purchases at Starbucks, and some users enable the auto-replenish option, which makes the app able to access the users’ bank account and transfer money from it to their Starbucks account.
A bad guy that steals a user’s iPhone or if someone borrows it and knows what to do and what tool to use can easily access the aforementioned file even if with a locked phone.
With the username/password combination, he can empty the victim’s Starbucks account either via the app (if he guesses the PIN) or via the Starbucks website.
Another, more serious problem may arise if the victim uses the same login credentials for more important accounts.
Since the public release of the information regarding this security flaw, Starbucks executives said they knew about its existence, and they have implemented adequate security measures to fix the flaw.
They didn’t specify what they did, but Wood said the flaw is still in the latest version of the app. This time he also noticed a geolocation history file also contains information in clear text information that can show the victim’s movements.