Shopping at Starbucks is convenient for the mobile users among us via the use of the company's mobile payment app. As it turns out, this same app stores user data in clear text, causing a potential privacy issue. Confirmation of this was made by Starbucks yesterday night, and executives confirmed they were previously aware of the method of storage. The discovery was first made known by Daniel Wood, a security researcher who reportedly attempted to contact the company about it this past November.
After two months of being unable to get anywhere with the company, Wood decided to publish the research this past Monday, raising concerns about privacy. Among the details stored in clear text is one's account password, username, and email address, as well as geolocation tracking data that shows where one has been. Anyone with basic tech knowledge could access the information by connecting the handset to a computer via USB.
Unfortunately, this isn't an instance of an unintended vulnerability that, upon discovery, was fixed. It seems the use of clear text was chosen for the purpose of convenience, allowing one to log into his or her app a single time and then proceed from there with multiple purchases, never having to log in again -- with the exception of adding funds. By using a more secure method, one would have to log in whenever a new purchase is made.
Upon publication of the details, Starbucks has made some alleged changes to the app, none of which have been detailed, that are supposed to tighten up the gaping vulnerability. Wood tested the app again after the update, and reports that he can still access the passwords and usernames, and that it was with this test he also gained access to the geolocation information, saying it appears in a history file following whatever changes Starbucks made.
SOURCE: Computer World