Starbucks App Vulnerabilities
January 16, 2014

Starbucks App Leaves Caffeine Junkies Vulnerable

Enid Burns for - Your Universe Online

The first rule of creating a successful app is to protect your users' passwords. Yet Starbucks created an app that stores usernames, email addresses and passwords in clear text, leaving one of the most popular apps in the US vulnerable to attack.

Starbucks confirmed late on Tuesday that passwords were not encrypted, Computerworld reports. The credentials in the app are available to anyone with access to the phone by connecting the handset to a PC. Additional data such as geolocation tracking points of latitude and longitude are also available when viewed on a PC. "A treasure trove of security and privacy gems for anyone who steals the phone," Computerworld's Evan Schuman wrote.

Schuman calls it an example of "convenience trumping security." It is not clear whether Starbucks used the lack of security to attract customers to use the app, or if customers called for the app to use less security. However it is said that the Starbucks mobile app is popular because of its "extreme ease of use."

Customers are required to enter their password once at the time when the user enters payment details, and when money is added to the app for further payment. The app can then be used for unlimited purchases. Vulnerabilities include username and password details, geolocation, and payment credentials.

"A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud," said Charlie Wiggs, general manager and senior vice president for US markets at mobile vendor Mozido. "Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn't overexpose their consumers and their brand."

The security flaw was identified by Daniel Wood, a Minneapolis-area computer security specialist, the Seattle Times reports. Wood noted that the app contains a file with the user's email address, user name and password. The same file also stores credit card information. Wood was able to access the file by connecting his phone to a computer.

The security flaw primarily affects Starbucks' iOS app, and it might not be fixed going forward.

"What's more, it appears that Starbucks may not intend to actually fix the problem. While the company told both Computerworld and The Seattle Times that the company had 'taken steps to safeguard customers' information,' it's unclear what steps it could have taken." Wood says that the latest version of the app still includes the same unencrypted passwords and usernames.

Starbucks would have to update the application to fix the issue, and it hasn't done that since May. "Anything they have done on their end won't matter as the vulnerability lies within the application on end user devices,'" The Verge's Sean Hollister wrote.

Another quickserve restaurant app also has potential to reveal secure information. The Subway Ordering for California app stores a user's complete street address, credit card information, email address, and the geolocation of its users in plain text, The Verge reports.