16 Jan 2014

Starbucks iOS Mobile App Stores Passwords in Plain Sight

Starbucks’ iOS mobile app saves customers’ usernames, email addresses and passwords in clear text, according to Computerworld

Anyone who accesses the phone can see the user’s credentials by connecting the device to a computer. It appears the app also stores geolocation information, which puts the user’s privacy at risk if the device is lost or stolen.

Experts say Starbucks may have opted for this type of storage to make the app easy to use, as it requires customers to enter their account password only once.

"A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud," said Charlie Wiggs, General Manager and SVP of US Markets at mobile vendor Mozido. "Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn't overexpose their consumers and their brand."

Starbucks officials said they are not concerned about users’ data  because they added “extra layers of security.”

"We have security measures in place now related to that," Adam Brotman, Starbucks Chief Digital Officer, told Computerworld.

The privacy flaw was discovered by security researcher Daniel Wood, who tried to contact Starbucks for two months. After failing to do so, he published his findings on the Seclists.org forum.