COFFEE VENDOR Starbucks has found a security flaw in its iOS digital wallet app.
Security researcher Daniel Wood discovered the flaw in November when a deconstruction of the app revealed that users' data was being kept unencrypted within the app, meaning that any thief could simply connect the phone to a computer and retrieve not only user names and passwords but also build up a picture of the user's movements, routine and whether or not they liked hazelnut syrup and cinnamon sprinkles.
Mr Wood first tried to alert Starbucks in November 2013 but was repeatedly put on hold and opted instead to publish his findings online.
According to Computerworld, Starbucks was not completely shocked at the news. Chief digital officer Adam Brotman is quoted as saying, "We were aware... That was not something that was news to us."
He went on to say that security measures had been put in place to alleviate the problem, but he did not detail what they are. However, when Wood reran his tests following Brotman's remarks and found that he could still access the data in plain text, along with the geolocation file.
Wood explained, "You don't need a user's PIN in order to pull raw data off the phone using the tool and methods I have used. So if a user's phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file."
While the likelihood of a thief stealing your phone and then hacking it to steal your coffee is somewhat implausible, as we move towards digital currency in the mainstream, this type of oversight represents an example of the type of problem we will face in the future if app developers are less than careful.
Starbucks has since announced that a fix is on its way, which is expected to roll out over the next few days. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted