Starbucks admits its iPhone app stores unencrypted passwords, location data

By , Jan 16, 2014

starbucks 2

Following a report from security researcher Daniel Wood, Starbucks executives admitted this week that the company’s mobile app stores user names and passwords in clear text, with no encryption. It also keeps a record of unsecured geolocation data.

The problem with this, Wood says, is that by connecting your iPhone to a computer, someone could easily retrieve this info from a crash log—no jailbreak or special hardware required. And what’s worse is Starbucks isn’t doing anything to fix the issue…

Here’s Computerworld with the report (via The Verge):

“The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.”

Again, potential criminals would still need to have your phone in hand to grab any information, and the only info available is user names, passwords and location data. But if the app’s “auto-replenish” feature is enabled, a thief could easily run up a tab.

The coffee company tells publication that it has “security measures in place now” related to the problem. But Wood says anything Starbucks does on its end wouldn’t matter because the vulnerability lies within the app itself, which has not been updated.

Wood says he found a similar problem in the Subway Ordering for California app. Though it is much more menacing, as it stows complete street address and credit card information in plain text.

  • Share:
  • Follow:
  • Capirexz

    I miss iOS6 Lockscreen.

  • Andrew

    oh k

  • Jonathan

    So, why should I be worried? It’s not their servers, it’s my iPhone.

    • ✪ aidan harris ✪

      Worst case scenario:

      Thief gets your iPhone
      It just so happens to be unlocked when they get it
      I’m assuming it’s jailbroken here so they’ll go into file and view this unencrypted information
      They’ll then buy themselves a coffee on you!

      Completely unrealistic and obviously meant as a joke. The real threat is if usernames and passwords etc are used on other sites for example if your PayPal account details were the same as your Starbucks account details then you can probably guess the dangers of what Starbucks has done…

      • Jonathan

        Yeah, that very scenario popped in my head as well. xD
        I have a passcode, so it wouldn’t happen.
        2nd, I don’t even use the starbucks app lol

  • n0ahcruz3

    Since the inception of smartphones, cyber attacks and hacks are high. Thats why i dont do onlinebank/mobile, app purchase etc. falsifying Name,location etc. And avoid malicious websites ofcourse ;P