Following a report from security researcher Daniel Wood, Starbucks executives admitted this week that the company’s mobile app stores user names and passwords in clear text, with no encryption. It also keeps a record of unsecured geolocation data.
The problem with this, Wood says, is that by connecting your iPhone to a computer, someone could easily retrieve this info from a crash log—no jailbreak or special hardware required. And what’s worse is Starbucks isn’t doing anything to fix the issue…
“The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.”
Again, potential criminals would still need to have your phone in hand to grab any information, and the only info available is user names, passwords and location data. But if the app’s “auto-replenish” feature is enabled, a thief could easily run up a tab.
The coffee company tells publication that it has “security measures in place now” related to the problem. But Wood says anything Starbucks does on its end wouldn’t matter because the vulnerability lies within the app itself, which has not been updated.
Wood says he found a similar problem in the Subway Ordering for California app. Though it is much more menacing, as it stows complete street address and credit card information in plain text.