Starbucks iPhone App – not secure

Starbucks has been storing the passwords for its mobile-payment app, along with geolocation data, in clear text.

The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. (No hacking of the phone is necessary). The app also stores, in plain text, an extensive list of geolocation tracking points (latitude, longitude).

[CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application

There is a very good analysis by Computerworld of why this is a very bad thing here:
Evan Schuman: Starbucks caught storing mobile passwords in clear text

Somewhat more worrying is this quote from two Starbucks executives: “Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman — said in a telephone interview that they have known for an unspecified period of time that the credentials were being stored in clear text. “We were aware,” Brotman said. “That was not something that was news to us.”” — THATS BAD!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.