14 DAY TRIAL // Last week, security researcher Daniel Wood revealed that the Starbucks iOS app was storing users’ credentials and their locations in log files. Starbucks has rolled out an update for the buggy application and the expert has confirmed that credentials are no longer stored in clear text.
Wood has confirmed that in version v2.6.2 of the app, all sensitive information is removed from the session.clslog data file. Location is still stored, but only the last one where the customer utilized the device.
“In summary, Starbucks has effectively addressed the security issues that were documented in my original report published January 14, 2014,” the expert noted.
“However, I do recommend that the above issue be remediated within the next release cycle of the mobile application to prevent a customers' last logged geolocation data from being stored.”
He has also clarified that Starbucks servers have not been compromised, and that he simply discovered a locally exploitable vulnerability. He also highlights the fact that the security hole could not be leveraged to gain access to credit card information, but only to the user’s Starbucks card number and balance.