Security researcher Daniel E. Wood discovered a vulnerability in the Starbucks official iOS app related to the insecure storage of user data.
10 million Starbucks customers who purchases drinks and food using their Smartphones are exposed to serious risk of data breach.
This
is yet another story in which a poor implementation of minimum security
requirements could have an impact on the end user and it digital identity, just as happened in the Snapchat case.
The official Starbucks iOS app
doesn't encrypting user's data, including your password. The Starbucks
app is usable by the customers to pay products of the popular Coffee
Company, and to perform usual operations available on a banking account
such as control the balance, fund transfer and check transaction
history.
The Security researcher Daniel E. Wood discovered the vulnerability (CVE-2014-0647)
in STARTBUCKS v2.6.1. iOS application, he revealed that the app stores
user's credential details and GPS data in plain text in the following
file:
/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog
Once
know the location is quite easy for an attacker, that has physical
access to the handset, to retrieve the user's information accessing 'session.clslog'
file. The attacker once accessed with the file could gain access to the
customer’s amount of money available on the Starbucks account.
As
usual the hack could cause further problem to the clients of Starbucks
that used the app if they share same credential on different web
services, the recommendation for who made purchases is to change it
immediately and adopting a different username and password for every service
If
you are using your email password as the same Starbucks account
password, please change it on first priority.Starbucks has promptly
managed the incident, issuing an official statement to inform the clients and a successily providing an advisory to publicize the availability for an app update.
“UPDATE (January 16, 2014 09:00 PM P.S.T.): As promised, we have released an updated version of Starbucks Mobile App for iOS which adds extra layers of protection. We encourage customers to download the update as an additional safeguard measure. Read a letter from Curt Garner, Starbucks chief information officer, regarding customer information and Starbucks Mobile App for iOS”
The
company remarked that there is no evidence that its customers have been
impacted, but let me suggest you to follow the above suggestions.
"We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised." the company is asking to its customers to report any suspicious activity or fraud occurred.
It’s time to consider seriously the security of mobile apps, such flaws represent a serious threat to a user’s security and privacy, the situation is particularly alarming for mobile banking, a sector considered privileged by cybercriminals.
Not
different is the situation for use of mobile application in workspace, a
growing number of application are developed also by enterprise for
internal use, also in this case security is a must and could expose the
company to risk of cyber attack.
Back to the Starbucks app … also enjoy a cup of coffee could be dangerous, inNaples we say:
"Excuse me, coffee makes me nervous"
"Excuse me, coffee makes me nervous"
No comments:
Post a Comment