When Starbucks published the new version of its iOS mobile app yesterday to fix its passwords-in-clear-text problem, it demonstrated a seemingly awesome ability to correct a serious security issue in a single day.
But was it truly awesome? Not if it knew about the security hole for months. Not if it knew about it before it published the prior iOS app update back on May 2, 2013.
According to a key source involved in the process, Starbucks knew about the clear-text password problem before the May release, but issued the release anyway. The hole was never intended, the source said, but came about inadvertently due to the way the data was prepared to capture crash information. The problem was discovered during pre-launch testing, but not fixed. So Starbucks was aware of the problem for almost nine months before it finally addressed it, and that's a key reason it was able to patch things so quickly.
Starbucks' official line is that it knew something before the May update, but it is not admitting that it knew specifically that passwords appeared in clear text until security researcher Daniel Wood published his report earlier this week. "We were aware that crash logging was collecting the information when we launched [in May 2013]. However, we were not aware that in certain circumstances Starbucks account name and password were visible in that logging," said Starbucks spokesperson Linda Mills today. "When we became aware of this potential vulnerability through Daniel's report, we worked quickly to address it, and thus were able to release an update to the app last night."
When asked when Starbucks learned that passwords were in clear text, Mills said it was at 8 p.m. EST on Tuesday, Jan. 14, when I interviewed two senior Starbucks executives, CIO Curt Garner and Chief Digital Officer Adam Brotman. That seems unlikely, though, given that Wood's report was published on the morning of Jan. 13 and that I sent Starbucks a copy of that report early on Jan. 14.
Mills then said that "Curt and Adam were under the impression the data was only logged for crashes up until our conversation. And a fix was already under way for that. As soon as you sent me the report, the team immediately started to look into it, but we did not have confirmation. After our conversation with you, the team swiftly worked to accelerate an update."
Given that both execs explicitly said in the Jan. 14 interview that they had known about the clear-text password problem "for some time," it seems likely that the new information from the Woods report was that the holes had been discovered, not that they existed.
Sign up for Computerworld eNewsletters.