Starbucks: we stored your passwords in plaintext
The Starbucks mobile app saves your passwords and other user information in unsecured plaintext, Starbucks executives confirmed Thursday.
User information, including passwords, email addresses, usernames and geolocation data, was unencrypted — making it readily accessible to anyone who plugs the handset into a PC, according to a report detailing the vulnerability.
The Starbucks app, which is available to iOS, Android and Blackberry users, is the most popular mobile payment app in the US.
According to the report, passwords are stored this way to make it easier for users to make purchases. — Customers only need to enter their password and username once, when first using the app, and can make all subsequent purchases without entering any log in information.
While credit card and payment information isn’t visible, thieves could potentially use the available user information to make purchases to their victim’s Starbucks account, according to the report.
The availability of geolocation data presents its own concerns for privacy experts — including Daniel Wood, the security researcher who first discovered the vulnerability. “If you grab someone’s phone, you can effectively go through this log and see effectively where this person has been,” Wood told Computerworld. “It’s a bad thing for user privacy.”
Starbucks responded to the report Thursday with an open letter from Curt Garner, the CIO. Garner called the vulnerabilities “theoretical,” but acknowledged the company is taking extra security measures.
“We take these types of concerns seriously and have added several safeguards to protect the information you share with us,” Garner added. He also revealed Starbucks is working on an update to the app that will “add extra layers of protection.” No word yet on when the update will be available.
Image: Mark Lennihan/Associated Press
For more on this story go to: