Coffee giant Starbucks (NASDAQ:SBUX) admitted that its Apple (NASDAQ:AAPL) iOS mobile payment app on the iPhone keeps user location data and passwords in clear text format, leaving the data unencrypted and vulnerable.
The clear text vulnerability was found by security researcher Daniel Wood in version 2.6.1 of the Starbucks iOS App. According to Wood’s full disclosure post of the iOS app’s vulnerability, the plaintext flaw was originally reported to Starbucks in December 2013 before he made his findings public on Jan. 13, 2014.
Wood explained the specific vulnerability, where passwords and location data were stored in a plaintext, unencrypted format:
“Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a user’s account on the malicious users’ own device or online at https://www.starbucks.com/account/signin.”
According to a phone interview with Computer World, Starbucks CIO Curt Garner and Starbucks Chief Digital officer Adam Brotman said they were aware for an “unspecified time” that account passwords and data were being stored in clear text.
“We were aware,” Brotman said to Computer World. “That was not something that was news to us.”
Computer World was apt to point out that the Starbucks executives failed to say whether or not the passwords were still being stored in plaintext at that point despite their claim of “extra layers of security” being implemented.
Unfortunately for users of the Starbucks app, passcode locks do nothing to protect their data from this particular vulnerability since a thief would only need to pull the data the log file on their iPhone to gain access to their Starbucks credentials.
In addition, Wood found that the Starbucks mobile payment app also stored unencrypted location history of Starbucks app users, potentially exposing Starbucks iOS app users to potential privacy and security problems according to the Computer World report.
Wood's public disclosure also revealed that the clear text Starbucks crednetials were stored in a file associated crash analytics data that is handled by Crashlytics, a third-party crash report service acquired by Twitter (NYSE:TWTR) last year. Wood recommended several remedies for the Starbucks app’s security flaws, including preventing user data from ever being stored in the Crashlytics log file.
While the particular vulnerability disclosed by Wood still requires physical access to an iPhone with the Starbucks app, once obtaining user credentials, criminals would be able to use the auto replenish feature (if previously enabled) to load up their newly stolen Starbucks account with money and make Starbucks purchases.
From a broader security standpoint, many users tend to use the same passwords across websites and apps, opening them to larger security problems and concerns.