Security researcher Daniel Wood discovered back in mid-November of last year the Starbucks iPhone app had been storing passwords in clear text, along with username, email address and geolocation data. Wood tried contacting the company but was given the runaround by customer service, so he ended up publishing his research online this Monday, reports Computerworld.
The issue is regarding the US Starbucks iOS app, version 2.6.1, last updated on May 1, 2013 (we assume the Canadian version of the app, 2.6.1 is also affected).
The issue lies with the decision by Starbucks to value ease of use versus security to store user passwords on the iPhone to keep users logged in. Surprisingly, Starbucks executives admitted in a phone interview they were well aware passwords were being stored in plain text:
And apparently Starbucks could have done that. Two executives — Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman — said in a telephone interview that they have known for an unspecified period of time that the credentials were being stored in clear text. “We were aware,” Brotman said. “That was not something that was news to us.”
Starbucks told Computerworld they have made unspecified changes to fix the problem by adding “extra layers of security” to the app. Despite the note of changes being made, Wood re-tested the security of the app only to notice nothing had changed.
Wood describes how tools of the trade would allow a thief to easily access your Starbucks username and password off your iPhone (no jailbreak required), even if your device had a passcode setup. Once these credentials are compromised a victim could quickly see their Starbucks account being abused and run up with large purchases.
Despite this glaring security hole within the Starbucks iPhone app, as long as your phone doesn’t get stolen you should be safe. But the fact remains it shouldn’t be this way in the first place and it’s shocking Starbucks knew about it but kept customers in the dark.