Starbucks brews security vulnerability with its soy lattes
Some coffee aficionados might dislike my taste in coffee. I consume trendy drinks like Skinny Vanilla Lattes from Starbucks when on the go and Keurig coffee pods at home -- hardly a French press. While the Starbucks drinks are expensive, this is my only vice -- I do not drink alcohol or smoke, so I justify the cost that way.
Whenever I am at the famous coffee chain, I see a lot of people using Apple devices. One of the coolest things about this, is that Starbucks offers an iPhone app which makes it possible to make purchases using the smartphone. Sadly though, it has come to light that there is a vulnerability in the software. While security weaknesses in the Java programming language are nothing new, one regarding java the drink is.
"This week a research report identified theoretical vulnerabilities associated with the Starbucks Mobile App for iOS in the event a customer's iPhone were to be physically stolen and hacked", says Curt Garner, Starbucks CIO. "We'd like to be clear -- there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report".
Garner further says, "out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app".
The report that he references is by security researcher Daniel Wood, which claims the iOS app was storing passwords in plain text. Obviously, this is very troubling, because it is completely avoidable. Passwords should always be encrypted.
While the company should be applauded for resolving the issue so quickly, its secretive answer to how is unacceptable. Saying that the secrecy is to "protect the integrity of these added measures", makes it sound as if the solution can be easily bypassed. Honesty and transparency is the best way to make amends with slighted consumers.
Do you still trust Starbucks? Tell me in the comments.