Starbucks late Thursday (Jan. 16) posted a new version of its iOS mobile-payment app, one that the company says fixes the password-in-plain-text situation that I reported on Wednesday (Jan. 15). I have been unable to verify as yet whether the new version does indeed halt the key problems with the earlier version, which also disclosed in clear text account name, email address and geolocation details.
Daniel Wood, the security researcher who first discovered the holes — and who, at Computerworld's request late on Tuesday, reran the tests after Starbucks said it had imposed additional security protections — said today that he is "almost 100% certain" that the clear-text password problem is gone. "The file that was containing that data is no longer storing that data," he said, adding that he is still "checking to see if [the sensitive data] is trapped somewhere else." The passwords and related info are now saved in Apple's encrypted keychain, Wood said.
It should be pointed out, though, that Wood is no longer the independent security researcher that he was two days ago, since Starbucks has now brought him on as a security consultant, along with the standard nondisclosure agreement. Wood said it is, at this time, an unpaid role.
Sign up for Computerworld eNewsletters.