The Starbucks mobile app is reportedly the most used mobile payment app in the United States, but now there's talk that the iOS version stores usernames, email addresses and passwords in clear text. This could be serious bad news for those who lose their phones and typically use the same password across all apps and services.
The news arrives by way of Daniel Wood, a Minneapolis-area computer security expert. Wood's discovery, first reported by Computerworld on Wednesday, reveals that no jailbreaking is needed. Even more, the clear text also displays "an extensive list" of geolocation tracking points. This could be dangerous information if fallen into the wrong hands.
The report stresses that Starbucks could have chosen not to store the information on the phone, but then that would require the customer to enter the name and password at each transaction. Instead, Starbucks chose convenience over security. Gartner security analyst Avivah Litan said that Starbucks should have at least informed customers of the possible vulnerability.
Surprisingly, two Starbucks executives already knew of the problem before the security report made waves earlier this week. "We were aware," admitted Starbucks Chief Digital Officer Adam Brotman. "That was not something that was news to us."
In order to get the information, a thief would need to swipe the phone from the victim and get past the password or PIN blocking full access. That move, it seems, is rather simple for a crook.
"You don't need a user's PIN in order to pull raw data off the phone using the tool and methods I have used," Wood told Computerworld. "So if a user's phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file."
On a small scale, a thief could take that information and simply keep charging against the Starbucks account. When the money runs low, the account will access the user's bank account to replenish the funds. This will automatically trigger a message to the victim, likely in the form of an email, and alert the victim of fraud who in turn could notify Starbucks.
Still, if the file holds personal information in clear text, thieves can do more than just charge up a Starbucks account. Yet according to Computerworld, the Starbucks execs are downplaying the potential problem. They claim the company made specific changes that alleviate the problem. According to Brotman, usernames and passwords are safe thanks to extra layers of security.
Still, is/was Starbucks negligent by keeping user information in clear, accessible text?
News of Starbucks' app arrives as Target investigates a breach in its point-of-sale system that spilled the private information of 70 million customers. Now the company is facing a possible class action lawsuit that claims Target knew about the vulnerability since 2007. Neiman Marcus is also investigating a similar breach as well as three other unnamed retailers.