Starbucks smartphone application stores customers' information including passwords in plain text format that can be accessed by anyone in possession of a customer's smartphone.
Starbucks has a popular mobile application that lets customers place orders and pay using smartphones. The convenience of simply placing an order without entering the password comes at a great cost. Daniel Wood, a Starbucks customer exposed the vulnerability and shared it with the coffee chain in December. Since the technical team came back with no response, Wood decided to go public by posting his findings online and ComputerWorld reported his post, Tuesday.
Wood, who is a security researcher, found that Starbucks mobile app stores customers' usernames, passwords, and other personal information in plain text format. This puts customers in a dangerous situation where a hacker with basic hacking skills can easily recover the private information by connecting the phone to a laptop.
"The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary," Computer World reported. "And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone."
The well-known coffee chain executives also confirmed to the tech magazine that the vulnerability exists, but no case has been reported yet of customers being exploited.
The mobile app allows customers to make in-store payments without typing their passwords repeatedly. Once the password is entered during the activation and the first log-in, users only need the password again if they need to add more money to the account.
In December, Wood also found that the iOS app for Subway California by ZippyYum puts customers' information at an even greater risk. The app stores the complete street address, email address, geolocation and more importantly the credit card info in plain text, which fallen into wrong hands can do a significant amount of damage to the owner. The news was exposed through SecLists.org.