Starbucks fixes iOS app that showed account user information in clear, plain text

Coffee addicts who swear by Starbucks might just want to swear at Starbucks because the mobile payment app of Starbucks, which can be used on iOS devices, exposes them to possible security and privacy threats. The problem was has been acknowledged by the executives of the company, who confirmed that credentials such as passwords, email address, and usernames are stored by its app in clear, plain text.

The Starbucks mobile app for IOS, considered as among the most used mobile apps in the United States, also stores geolocation tracking data that can easily be accessed by anyone who gets hold of a user's handset.

Computerworld was the first to report on the issue and pointed out a clear case of security being placed second to customer convenience in terms of importance.

"The issue appears to be an example of convenience trumping security. One of the reasons for the Starbucks mobile app's popularity is its extreme ease of use. Customers need only enter their password once when activating the payment portion of the app and then use the app to make unlimited purchases without having to key in the password or username again. (Only when adding money to the app is the password required.)," wrote Evan Schuman of Computerworld.

The report cited security researcher Daniel Wood who found out about the possible exploit.

According to the full disclosure of Wood, he tested the Starbucks mobile app version 2.6.1 for iOS devices released in May 2013 by the company. Wood recommended sanitation of the app so user credentials cannot be recovered by malicious users.

"If you grab someone's phone, you can effectively go through this log and see effectively where this person has been. It's a bad thing for user privacy," Wood said in an interview with Computerworld. "You don't need a user's PIN in order to pull raw data off the phone using the tool and methods I have used. So if a user's phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file." In other words, thieves can use up whatever credit consumers have in their Starbucks app and, far worse, contact them via email or follow them using the patterns as shown on their geolocation data.

Interestingly, Starbucks said it knew of issue and yet decided against doing anything about it. "We were aware. That was not something that was news to us," said Starbucks digital chief officer Adam Brotman.

The company now says that security measures have been taken and that customers should not worry. However, what improvements were made to its mobile app were not disclosed by Starbucks.

"Our customers' security is of the utmost importance to us, and we actively monitor for risks and vulnerabilities. While we are aware of this report, there is no known impact to our customers. To further mitigate our customers' potential risk from these theoretical vulnerabilities. Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way," said company spokesperson Linda Mills.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics