Since the publication of the Starbucks mobile iOS app vulnerability, I have received many questions by journalists, security researchers and other people interested in understanding what occurs during a mobile app security assessment and exactly just how much work is involved.
I am currently working on analyzing a few applications from the App Store that I will be publishing findings about due to their vulnerabilities. Hopefully within a weeks time I will have a write-up complete that uses one or more of these apps as examples. Everyone loves pretty pictures :)
Thursday, January 23, 2014
Sunday, January 19, 2014
Much has happened since I posted the original research on the Full Disclosure mailing list regarding Starbucks and how their mobile application was logging sensitive user data elements in clear text.
Many people have contacted me regarding the reporting timeline and the details of such. Unfortunately many individuals are also posting incorrect information on the matter so I thought I would address these issues, and many others here.
I originally reached out to Starbucks on December 6, 2013 to their customer service. Over the next month I traded communications back and forth with Starbucks' Customer Service department with ultimately leaving the ball in their court regarding contacting me with a follow-up on what I deemed important if not critical sensitive information. Unfortunately, this never happened and here we are. On January 13, 2014 I published some (but not all) of my findings regarding the application on Full Disclosure. The information was picked up by the media and before I knew it, it made it onto national and international headlines.
This led to Starbucks expressing interest in speaking with me privately. I reached out to a PR official at Starbucks directly to let them know I was willing to attempt lines of communication again. Long story short, I've been in communication with Starbucks throughout the past week and have tested their latest release of the updated application to confirm that the security vulnerability was remediated appropriately. You can read Starbucks' original post that was updated with the new iOS mobile app here.
There has been a lot of media sensationalizing the Starbucks iOS mobile app vulnerability. I've seen articles written with titles claiming Starbucks was hacked, that it's related to Neiman Marcus and Target, and that 10 million customers data was at risk. All this is unequivocally not true. In my latest update on the matter I address this and many other incorrect conclusions drawn by the media.
Probably the biggest issue I have with the entire situation were the quotes I've read about the vulnerability being "theoretical" in nature. This was not a theoretical vulnerability, it was a very real issue. I think the term was applied due to the perceived complexity of the attack to exploit the vulnerability. In all honesty, it isn't difficult to pull of and it's not unheard of to have your phone stolen while you're out and about, or leave it on a table somewhere. While the chance of someone knowing where to look for this information or how to even do it is very slim in nature, I cannot in good faith say it couldn't happen. This by no means should be downplayed and classified as "theoretical" in nature.
With that said, I want to thank everyone - my wife, family, friends and colleagues for being supportive during the past week; the media that was accurately reporting events, and Starbucks. I believe Starbucks had acted in good faith to address this issue in a timely manner to push a security fix out so soon after this was reported on. Starbucks was forced to learn some hard lessons with this incident, however, I believe they will take this in stride and only improve upon the areas they were lacking in.