Starbucks has promised to update its mobile app – the most-used mobile payment app in America – after a security researcher found that it stored passwords in plain text, leaving users vulnerable to attack, according to a report by Computer World.
The vulnerability was uncovered by security researcher Daniel Wood, who published his findings this week. Wood said, “There are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online.”
Anyone with access to a phone with the Starbucks app can recover both the username and password by connecting the device to a PC, according to Infoworld’s report. No jailbreaking or other illegal software is required.
Computer World commented that the app’s storage of the password was a clear case of convenience trumping security concerns – allowing consumers to buy goods rapidly without entering a password. Passwords are only required when topping up the app with more money.
Speaking to Computer World, Charlie Wiggs, general manager at mobile vendor Mozido, said, “A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud. Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn’t overexpose their consumers and their brand.”
Starbucks promised security improvements to the app, and in an official statement, said that there had been no known instances in which customers had been impacted by the vulnerability.
Speaking to Infoworld, Starbucks’ chief digital officer, Adam Brotman said that executives had known that passwords were stored as plain text within the app, “”We were aware. That was not something that was news to us.”
Speaking to Geekwire Starbucks said, “Our customers’ security is of the utmost importance to us, and we actively monitor for risks and vulnerabilities. While we are aware of the theoretical vulnerabilities outlined in this report, there is no known impact to our customers at this time.”
“To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way.”
Author Rob Waugh, We Live Security