Re: [Full-disclosure] [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application

2014-01-18 Thread Daniel Wood 
Friday, January 17, 2014
Updated Security Review for the new Starbucks v2.6.2 mobile iOS application

After publishing my vulnerability report on the Starbucks v2.6.1 mobile iOS 
application, I have been in continuous communication with Starbucks.  As you 
know, Starbucks released an updated version of the application to address these 
security concerns.  I have evaluated the latest version of the Starbucks mobile 
application (v2.6.2) from the Apple App Store and conducted exhaustive 
retesting of the application in order to confirm whether the vulnerabilities 
were successfully addressed.

Prior to starting the new version of the Starbucks mobile app, session.clslog 
was 64kb (varies on how many user actions you took prior to capturing the data) 
in size.  After running the new version of the application, it clears the 
session.clslog data file effectively removing all sensitive data elements that 
were being previously stored.  

Caveats:
If you install the latest Starbucks 2.6.2 app update without actually running 
the application, the session.clslog file remains with the sensitive data 
contained within it, however, as soon as you launch the new version of the 
application it clears session.clslog out, effectively wiping this data off your 
device.   This behavior makes sense as the application is required to run in 
order to execute the programmatic functions that address the issue of a static 
file that was being spooled to.

There is still a file, located in 
/Starbucks/Library/Preferences/com.starbucks.mystarbucks.plist that contains 
geolocation data of a users last logged geolocation.  The difference here is, 
it is not a running log of a customers geolocation like was being stored in 
session.clslog.  This information is only the last location where a customer 
has used their device.  As such, I do not believe this file is a security 
concern as it does not aggregate geolocation data over time.  Your stored 
geolocation is overwritten each time and cannot be used to track your movement 
patterns over time.

In summary, Starbucks has effectively addressed the security issues that were 
documented in my original report published January 14, 2014, however, I do 
recommend that the above issue be remediated within the next release cycle of 
the mobile application to prevent a customers' last logged geolocation data 
from being stored.

To address some misinformation that has been released:
The application does not need to crash in order for a customer's sensitive data 
elements to be written to session.clslog - this happened automatically prior to 
v2.6.2 being released.  The application can be backgrounded and the phone can 
be in Sleep mode by pressing the ‘Lock’ button on the top of the device and the 
data was written to session.clslog.  

During the initial testing of the application, at no point was there credit 
card data contained within this file, only your Starbucks Card number and 
balance amount.  During my testing I opted not to enter a valid credit card due 
to personal privacy precautions, thus the resulting entry within session.clslog 
had a value of null.

At no point were Starbucks's data servers compromised, exposing their 10 
million customers to the application as some reports have suggested.  This was 
a local exploitable vulnerability on a users device, not a remotely exploitable 
vulnerability on their servers or any other type of remote code execution 
vulnerability.

The PIN bypass methods described by some outlets mention the device's PIN, in 
actuality it is the PIN within the Starbucks application that did not prevent 
access to the sensitive user data elements being stored within session.clslog.  
While it is still possible to access application files stored on the device, 
since the v.2.6.2 update, this is no longer an issue as these data elements are 
not being written to session.clslog in clear text as was the case with the 
original vulnerability.  Keep in mind this is true for ANY application that 
uses a PIN to 'protect' your data.  It is only as secure as how the data 
written to the device is being secured either through encryption or never 
saving the data to disk to begin with.  A PIN only prevents someone from access 
the application itself, not the data being stored.  If you don’t store any data 
or you encrypt it, you have nothing to worry about if done properly.  
Application sandboxing does not prevent this type of vulnerability if it is 
being written to the disk.


- Daniel Wood



On Jan 13, 2014, at 10:28 PM, Daniel Wood daniel.w...@owasp.org wrote:

 Title: [CVE-2014-0647] Insecure Data Storage of User Data Elements in 
 Starbucks v2.6.1 iOS mobile application
 Published: January 13, 2014
 Reported to Vendor: December 2013 (no direct response)
 CVE Reference: CVE-2014-0647
 Credit: This issue was discovered by Daniel E. Wood
 http://www.linkedin.com/in/danielewood
 
 Product: Starbucks iOS mobile application
 Version: 2.6.1 (May 02, 2013)
 Vendor:

[Full-disclosure] [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application

2014-01-14 Thread Daniel Wood 
Title: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks 
v2.6.1 iOS mobile application
Published: January 13, 2014
Reported to Vendor: December 2013 (no direct response)
CVE Reference: CVE-2014-0647
Credit: This issue was discovered by Daniel E. Wood
http://www.linkedin.com/in/danielewood

Product: Starbucks iOS mobile application
Version: 2.6.1 (May 02, 2013)
Vendor: Starbucks Coffee Company
URL: https://itunes.apple.com/us/app/starbucks/id331177714

Issue:  Username, email address, and password elements are being stored in 
clear-text in the session.clslog crashlytics log file.
Location:   
/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog

Within session.clslog there are multiple instances of the storage of clear-text 
credentials that can be recovered and leveraged for unauthorized usage of a 
users account on the malicious users’ own device or online at 
https://www.starbucks.com/account/signin.  It contains the HTML of the mobile 
application page that performs the account login or account reset.  
session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth 
signature for the users account/device to the Starbucks service.

From session.clslog:
div class=block_login
form action=/OAuth/sign-in class=siren id=accountForm method=post
fieldset class=login_position
legendspan class=group-headerI have a Starbucks 
account./span/legend

[...snip...]

li
label for=Account_UserName class=Username span 
class='req'*/span/label
span class=x
input class=field text medium 
id=Account_UserName maxlength=200 name=Account.UserName tabindex=0 
type=text value=CLEARTEXT /
/span
/li
li
label for=Account_PassWord class=Password span 
class='req'*/span/label
span class=x
input class=field text medium 
id=Account_PassWord maxlength=200 name=Account.PassWord tabindex=0 
type=password value=CLEARTEXT /
/span
/li

43440 $ -[AccountManager forgotPasswordEmail:withUserName:] line 1609 $ BODY 
STRING:[ {emailAddress:CLEARTEXT,userName:CLEARTEXT} ]

Note: All references of 'CLEARTEXT' above are the cleartext values of each 
referenced string.


Mitigation:
To prevent sensitive user data (credentials) from being recovered by a 
malicious user, output sanitization should be conducted to prevent these data 
elements from being stored in the crashlytics log files in clear-text, if at 
all.

iOS Specific Best Practices (from OWASP Mobile Top 10 - M1 Insecure Data 
Storage):
- Never store credentials on the phone file system. Force the user to 
authenticate using a standard web or API login scheme (over HTTPS) to the 
application upon each opening and ensure session timeouts are set at the bare 
minimum to meet the user experience requirements.
- Where storage or caching of information is necessary consider using a 
standard iOS encryption library such as CommonCrypto
- If the data is small, using the provided apple keychain API is recommended 
but, once a phone is jailbroken or exploited the keychain can be easily read. 
This is in addition to the threat of a bruteforce on the devices PIN, which as 
stated above is trivial in some cases.
- For databases consider using SQLcipher for Sqlite data encryption
- For items stored in the keychain leverage the most secure API designation, 
kSecAttrAccessibleWhenUnlocked (now the default in iOS 5) and for enterprise 
managed mobile devices ensure a strong PIN is forced, alphanumeric, larger than 
4 characters.
- For larger or more general types of consumer-grade data, Apple’s File 
Protection mechanism can safely be used (see NSData Class Reference for 
protection options).
- Avoid using NSUserDefaults to store senstitve pieces of information as it 
stores data in plist files.
- Be aware that all data/entities using NSManagedObects will be stored in an 
unencrypted database file.

References:
http://try.crashlytics.com/security/
https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/SecurityDevelopmentChecklists/SecurityDevelopmentChecklists.html#//apple_ref/doc/uid/TP40002415-CH1-SW1
https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet#Insecure_Data_Storage_.28M1.29



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/