I received an email from Daniel Wood, the security researcher who discovered the vulnerability in the Starbucks app, on Saturday afternoon.
You can read Wood's complete comments at the link, but here are the highlights:
Rocco, thank you for taking this stance regarding my findings on the Starbucks iOS app.
Here's an update on the Starbucks situation and my comments on some of the sensationalizing ...
After publishing my vulnerability report on the Starbucks v2.6.1 mobile iOS application, I have been in continuous communications with Starbucks. As you know, Starbucks released an updated version of the application to address these security concerns. I have evaluated the latest version of the Starbucks mobile application (v2.6.2) from the Apple App Store and conducted exhaustive retesting of the application in order to confirm whether the vulnerabilities were successfully addressed ...Wood also addressed sensationalism in the media, which, clearly takes aim at the ReadWrite piece mentioned on Page One of the present article:
Starbucks has effectively addressed the security issues that were documented in my original report ... however, I do recommend that the above issue be remediated within the next release cycle of the mobile application to prevent a customers' last logged geolocation data from being stored.
At no point were Starbucks's data servers compromised, exposing their 10 million customers to the application as some reports have suggested. This was a local exploitable vulnerability on a users device, not a remotely exploitable vulnerability on their servers or any other type of remote code execution vulnerability.There you have it. Don't believe everything you read, especially if it comes from over-the-top tech snobs, something Wood obviously is not.
I (buzzword alert) reached out to SBUX Chief Digital Officer Adam Brotman on this. He couldn't comment at the moment, but asked that I check back in the coming days.
--Written by Rocco Pendola in Santa Monica, Calif.