In what is being widely regarded as a major security flaw, security researcher Daniel Wood discovered that passwords for America’s most popular mobile payment app are stored locally in a clear text file, so that anyone with physical access to the phone (for example a thief) could easily steal not only Starbucks pre-paid store card details, but owner’s passwords, which are often re-used for things such as email and banking,
‘In about 20% of the cases, the password is the same as for their banks. Consumers reuse their passwords whenever they can,’ said Gartner security analyst Avivah Litan.
The iOS app provides a convenient way for customers of the world’s most popular coffee shop chain to purchase their favorite lattes, allowing them to enter their password and username just once when paying, after which they can make unlimited purchases without further input. Because these details are not encrypted, anyone with access to the phone can read them (for example by plugging it into a PC using USB, a tactic that can easily bypass any PIN-lock style protection on the phone).
Interestingly, the text file also contains information on the phone owner’s geo-location history,
‘If you grab someone’s phone, you can effectively go through this log and see effectively where this person has been. It’s a bad thing for user privacy,’ said Wood.
Although this is indeed bad thing, we feel compelled to ask why Starbucks itself wants this information, as this far more than it needs to process payment for coffee!
Wood spent two months attempting to contact Starbucks about the clear text issue, but after being repeatedly transferred to customer service, decided on Monday to publish his research on-line. With a great deal of interest by the press leading to negative publicity, this has had an effect, and yesterday Curt Garner, Starbucks chief information officer, issued an open letter stating that,
‘Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection… while we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.’