Evan Schuman: Starbucks sat on its clear-text password problem for months

The company is dancing around the question of what it knew and when it knew it, but the security problem was not a revelation for it this week

When Starbucks published the new version of its iOS mobile app yesterday to fix its passwords-in-clear-text problem, it demonstrated a seemingly awesome ability to correct a serious security issue in a single day.

But was it truly awesome? Not if it knew about the security hole for months. Not if it knew about it before it published the prior iOS app update back on May 2, 2013.

According to a key source involved in the process, Starbucks knew about the clear-text password problem before the May release, but issued the release anyway. The hole was never intended, the source said, but came about inadvertently due to the way the data was prepared to capture crash information. The problem was discovered during pre-launch testing, but not fixed. So Starbucks was aware of the problem for almost nine months before it finally addressed it, and that's a key reason it was able to patch things so quickly.

Starbucks' official line is that it knew something before the May update, but it is not admitting that it knew specifically that passwords appeared in clear text until security researcher Daniel Wood published his report earlier this week. "We were aware that crash logging was collecting the information when we launched [in May 2013]. However, we were not aware that in certain circumstances Starbucks account name and password were visible in that logging," said Starbucks spokesperson Linda Mills today. "When we became aware of this potential vulnerability through Daniel's report, we worked quickly to address it, and thus were able to release an update to the app last night."

When asked when Starbucks learned that passwords were in clear text, Mills said it was at 8 p.m. EST on Tuesday, Jan. 14, when I interviewed two senior Starbucks executives, CIO Curt Garner and Chief Digital Officer Adam Brotman. That seems unlikely, though, given that Wood's report was published on the morning of Jan. 13 and that I sent Starbucks a copy of that report early on Jan. 14.

Mills then said that "Curt and Adam were under the impression the data was only logged for crashes up until our conversation. And a fix was already under way for that. As soon as you sent me the report, the team immediately started to look into it, but we did not have confirmation. After our conversation with you, the team swiftly worked to accelerate an update."

Given that both execs explicitly said in the Jan. 14 interview that they had known about the clear-text password problem "for some time," it seems likely that the new information from the Woods report was that the holes had been discovered, not that they existed.

This raises a troubling question: If Starbucks had the ability to fix this in one day, why the heck didn't it do that months ago? For that matter, why wasn't the May 2013 version fixed before it went live?

The tendency of many large firms is to do nothing about security holes that they've learned about until either a major breach happens (e.g., Target and Neiman Marcus) or the media discloses the problem to the public. The latter seems to be the case with Starbucks, and as a columnist, I'm obligated to beat them up for taking no action when they had to know that storing passwords in plain text is sloppy security practice. Of course, if Starbucks officials really did first learn about the problem on Wednesday and then fixed the hole in a day, that would be very impressive. But, as a columnist, I'd have to beat them up for not having known. We security columnists are really hard to keep happy.

But this is the way it looks: Starbucks' security testing did in fact reveal the hole back before May 2013. So it gets points for not being clueless. But Starbucks chose to let the May update be distributed to millions of iPhones and iPads anyway. That's a big minus.

The Starbucks situation raises another issue that also seems to plague many companies. Woods told me that he had tried to tell Starbucks about the password issue for nearly two months. Every time he tried, he was transferred to customer service, which had no idea what to do with the information.

If that prompts a haughty chuckle at the mocha maestro's expense, you might want to stifle it, because it's probably fair to conclude that similar communication holes exist within the vast majority of Fortune 1,000 companies. If someone called your call center today and wanted to report a security hole involving your mobile app or some major problem with your website, would the caller be routed to the mobile or e-commerce team or be shunted off to some never-monitored voicemail? Be honest now.

The heads of IT -- and online and mobile groups -- are typically much more concerned with avoiding calls than making sure the calls get through. They figure (correctly, for what it's worth) that almost all external calls are from customers (send them to customer service), potential employees (off to HR) or salespeople (send them very far away). Switchboard and call center employees are trained well where to send those people -- as well as us lowly members of the Fourth Estate, who are dispatched to media relations -- but people calling in with security or other timely and critical information for IT/mobile/online are ignored.

Let's say a page on your website has been taken over and is showing obscene images. If someone wants to contact you who can show your people the exact affected pages and offer suggestions as to the nature of the problem, is there a prominent link on your site to direct them to the right contact? If such a call comes in, will your people know to immediately put the call through to the relevant department and keep trying different people until someone answers?

This is where small companies have a huge advantage. Whoever answers the phone in a 40-employee company will likely know who handles what or at least who would know the best person to field the call. But in a company with 400,000 employees, it's a much harder task.

Suggestion: Why not send a memo to all of the people who answer these calls saying that if anyone says they have information about IT, mobile, security or the website, they should be put through? For every 50 nuisance calls that get through -- and those calls are generally easy to identify in fewer than 30 seconds -- there could be one with information that's vital to the company.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags starbucksmobile paymentssecurity

More about AppleStarbucksSwitchboardTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place