November 27, 2024

Starbucks Admits Its iPhone App Stores User Passwords, Location Data in Plain Text

Posted January 16, 2014 at 3:13pm by iClarified · 10022 views
The most used mobile-payment application in the United States has been storing usernames, email addresses, passwords, and even location data in plain text, Starbucks executives confirmed.

Since the information is not encrypted (and therefore stored in plain text) anyone can simply connect the phone to a computer and view the credentials. No jailbreak is requires since the folder is public.

"A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud," said Charlie Wiggs, general manager and senior vice president for U.S. markets at mobile vendor Mozido. "Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn't overexpose their consumers and their brand."

"Yes, it does surprise me," said Gartner security analyst Avivah Litan. "I would have expected more out of Starbucks. At least they should have informed consumers."

And apparently Starbucks could have done that. Two executives -- Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman -- said in a telephone interview that they have known for an unspecified period of time that the credentials were being stored in clear text. "We were aware," Brotman said. "That was not something that was news to us."


Daniel Wood, the security researcher that found the unecryped information says he has tested this on the latest version of the app, which Starbucks claims includes 'adequate security measures.' Unfortunately, Wood found the information is still easily accessible, although, a thief would still need the phone to take advantage of it.

We're still unsure if Starbucks will fix this issue, since it does bring 'convenience' to users by not forcing them to enter a password every time.

Read More via Computer World

Starbucks App Download