Welcome to securityCRUSH

Welcome to the securityCRUSH blog, a place where you can find random musings as well as postings relevant to information security, penetration testing, and my latest projects - Daniel Wood.

Sunday, January 19, 2014

Musings on Starbucks

Much has happened since I posted the original research on the Full Disclosure mailing list regarding Starbucks and how their mobile application was logging sensitive user data elements in clear text.

Many people have contacted me regarding the reporting timeline and the details of such.  Unfortunately many individuals are also posting incorrect information on the matter so I thought I would address these issues, and many others here.

I originally reached out to Starbucks on December 6, 2013 to their customer service.  Over the next month I traded communications back and forth with Starbucks' Customer Service department with ultimately leaving the ball in their court regarding contacting me with a follow-up on what I deemed important if not critical sensitive information.  Unfortunately, this never happened and here we are.  On January 13, 2014 I published some (but not all) of my findings regarding the application on Full Disclosure.  The information was picked up by the media and before I knew it, it made it onto national and international headlines.  

This led to Starbucks expressing interest in speaking with me privately.  I reached out to a PR official at Starbucks directly to let them know I was willing to attempt lines of communication again.  Long story short, I've been in communication with Starbucks throughout the past week and have tested their latest release of the updated application to confirm that the security vulnerability was remediated appropriately.  You can read Starbucks' original post that was updated with the new iOS mobile app here.

There has been a lot of media sensationalizing the Starbucks iOS mobile app vulnerability.  I've seen articles written with titles claiming Starbucks was hacked, that it's related to Neiman Marcus and Target, and that 10 million customers data was at risk.  All this is unequivocally not true.  In my latest update on the matter I address this and many other incorrect conclusions drawn by the media.  

Probably the biggest issue I have with the entire situation were the quotes I've read about the vulnerability being "theoretical" in nature.  This was not a theoretical vulnerability, it was a very real issue.  I think the term was applied due to the perceived complexity of the attack to exploit the vulnerability.  In all honesty, it isn't difficult to pull of and it's not unheard of to have your phone stolen while you're out and about, or leave it on a table somewhere.  While the chance of someone knowing where to look for this information or how to even do it is very slim in nature, I cannot in good faith say it couldn't happen.  This by no means should be downplayed and classified as "theoretical" in nature. 

With that said, I want to thank everyone - my wife, family, friends and colleagues for being supportive during the past week; the media that was accurately reporting events, and Starbucks.  I believe Starbucks had acted in good faith to address this issue in a timely manner to push a security fix out so soon after this was reported on.  Starbucks was forced to learn some hard lessons with this incident, however, I believe they will take this in stride and only improve upon the areas they were lacking in.

Daniel Wood

No comments:

Post a Comment