Security researcher Daniel Wood has found that the iOS version of the Starbucks app stores user credentials in clear text. He has decided to make his discovery public after failed attempts to report his findings to the company.
In a post on the Full Disclosure mailing list, Wood explained that usernames, email addresses and passwords are stored in clear text in a log file.
“Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at http://www.starbucks.com/account/signin,” the expert noted.
“It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service.”
The expert says that the app’s developers should employ output sanitization to ensure that the information is not stored in the log files in clear text.
The problem with this kind of vulnerability is that someone who has physical access to the device could steal the sensitive information. Considering that many people use the same password across multiple services, this could be highly problematic.
Furthermore, the app can be used to make purchases at Starbucks, which means that an attacker can also gain access to financial information.
IDG has contacted Starbucks representatives. They claim to have implemented some changes to protect users against such attacks. However, the company has refused to go into any details.
On the other hand, Wood says he has re-tested the latest version of the Starbucks iOS app and found that user credentials are still accessible in clear text. Furthermore, he has found that geolocation information is also available in one file.