Executives Confirm Starbucks App Stores Passwords in Plain Text

Starbucks executives confirmed Tuesday that their company’s mobile app stores various types of sensitive data in plain text, according to a recent analysis of the issue posted by Computerworld. Specifically, the Starbucks app retains username, password, and geolocation data on users’ mobile phones, leaving them vulnerable.

How the App Operates

Think of the Starbucks app as a mobile gift card. With the app, a user can add money to his or her account, and then make purchases by scanning the smartphone at a register upon checkout. In order to make its mobile app more user-friendly, Starbucks allows users to authenticate themselves when first using the service. Once a user enters his username and password, he is free to use the app for an unlimited number of purchases. Only when the user needs to replenish the funds in the account does the password need to be re-entered.

As Computerworld reports, this process is possible because the Starbucks app stores each user’s username and password on the phone. If that data was not stored locally, each user would need to enter his password with each subsequent order. Obviously, this method of data storage makes it much easier for any person to compete transactions, but it comes at a very high price.

Convenience Over Safety

Security researcher Daniel Wood was the first person to discover this vulnerability. He had tried since November to contact Starbucks to make the company aware of the issue, but after failing to reach the appropriate authorities he ended up posting his findings to SecLists, a security mailing list archive. In that post, he notes the specific location on a user’s phone where the data is stored—a file named session.clslog.

“Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a user’s account on the malicious user’s own device or online at https://www.starbucks.com/account/signin,” Wood writes.

Starbucks updated its app following Wood’s SecLists post. Wood then completed further analysis, however, and found geolocation data included alongside username and password data, meaning that hackers can potentially see where a user most often traveled if they were to access the phone.

The Greater Problem of Password Reuse

Although those threats are certainly real, a greater threat looms over the head of any clear-text username and password storage: password reuse. According to the Princeton research project titled “Password Management Strategies for Online Accounts,” students tend to use only a limited number of passwords for their ever-growing list of accounts.

In that study, the researchers find that “the majority of users had three or fewer passwords and passwords were reused twice.” They note that password reuse rates rise as undergraduates make more accounts because they don’t make more passwords. Undergraduates, they note, say remembering a limited number of passwords is easier to manage.

With customers often using the same mobile app password for everything from email accounts to online bank accounts, they are left vulnerable to hackers that are interested in more than just making illegal transactions at the local coffee bar. Starbucks’ Chief Digital Officer Adam Brotman said company officials are beefing up the security of their app, with Computerworld quoting Brotman as saying officials have applied “extra layers of protection.” However, it was after that statement that Wood again breached the app and found geo-location data.

Storing sensitive data as encrypted text is important because a hacker will be unable to use such data until it is decoded, a process that is made difficult if encryption is properly completed in the first place. Until Starbucks officials use such encryption practices outright, you may be better off paying for your next java with traditional cash or credit.

Will you continue using the Starbucks app?

Image courtesy of Flickr