Starbucks iOS Payment App Stores User Passwords in Plaintext

On Monday a security researcher made full disclosure of an issue he had found in Starbucks’ iOS mobile application: “username, email address, and password elements are being stored in clear-text.” Now Starbucks has admitted, “We were aware. That was not something that was news to us.”

Daniel Wood is a professional pentester. As a coffee drinker he decided to look at the Starbucks app before trusting it with his credit card information. What he found was, “Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at https://www.starbucks.com/account/signin.”

He reported the matter to Starbucks in December, but received no direct reply. On 13 January he posted his findings on the Full Disclosure mailing list.

Starbucks has made little response. Computerworld reports Chief Digital Officer Adam Brotman saying that the issue should no longer be a concern because “we have security measures in place now related to that” and “we have adequate security measures in place now.” He declined to say what those security measures were, but said that customers’ “usernames and passwords are safe,” because Starbucks has added “extra layers of security.”

The Seattle Times quotes an email from Starbucks spokesman Zack Hutson, saying the company had “taken steps to safeguard customers’ information and protect against the theoretical vulnerabilities raised in the report, but we are unable to discuss any of the details because we want to protect the integrity of our security measures.”

But The Verge reports, “it’s unclear what steps [Starbucks] could have taken. Daniel Wood, the security researcher who originally discovered the vulnerability in November, says that the latest version of the app still includes the same unencrypted passwords and usernames. Starbucks would have to update the application to fix the issue, Wood tells The Verge, and it hasn’t done that since May. ‘Anything they have done on their end won’t matter as the vulnerability lies within the application on end user devices,’ he says.”

There is an air of ‘denial’ coming from Starbucks, reminiscent of that from Snapchat following GibsonSec’s revelation of its own security issues. Snapchat called it a theoretical problem that should be of little concern – and a few days later 4.6 million emails and partial phone numbers were leaked onto the internet.

That won’t happen to Starbucks because an adversary would need physical access to each phone in order to extract the individual credentials, but that will be of little reassurance to users who lose or have their phone stolen.

Nevertheless there is some surprise that the company has not been more proactive in reassuring its customers. “Yes, it does surprise me,” Gartner security analyst Avivah Litan told Computerworld. “I would have expected more out of Starbucks. At least they should have informed consumers.” There is no mention of the issue on the Starbucks blog, even though those app-using consumers accounted for 11% of Starbucks transactions in Q3 last year, and contributed to a record volume of more than $1.3 billion in Starbucks card loads in the US and Canada.

[Source: InfoSecurity Magazine]