Skip the navigation

Evan Schuman: Starbucks caught storing mobile passwords in clear text

By Evan Schuman
January 15, 2014 11:09 AM ET

Brotman didn't specifically say that the passwords are no longer appearing in clear text. About two hours after Brotman and Garner discussed the security hole, Wood reran his tests on an updated Starbucks app, using the current iOS version, and passwords and usernames were still fully visible in clear text. This time, though, he also noticed a geolocation history file, detailing his latitude and longitude numbers for every time he asked the app to find a store.

"If you grab someone's phone, you can effectively go through this log and see effectively where this person has been," Wood said. "It's a bad thing for user privacy."

Although it is certain that Starbucks' policies permitted the clear text, the file that displayed is actually part of a capture done by a third-party crash analysis app from a company called Crashlytics, which was purchased by Twitter last year. Neither Crashlytics nor Twitter returned emails and voicemail messages seeking comment.

How do the clear-text passwords endanger shoppers? A thief would need to first steal -- or at the very least borrow for 30 minutes or so -- a victim's phone. Do you feel secure because you use PIN protection on your phone? You shouldn't, says Wood. "You don't need a user's PIN in order to pull raw data off the phone using the tool and methods I have used," he said. "So if a user's phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file." In other words, it's a simple matter for a thief to get the victim's Starbucks username and password. With those in hand, the thief could charge items to the victim's account, until all the stored value is used up.

The thief could potentially steal far more if the victim had activated an auto-replenish option, which would allow the app to repeatedly access the victim's bank account to continually add more money to the Starbucks account. Brotman said that any request for more bank funds would trigger a message to the victim -- he said it would probably be an email -- which could alert the victim to the fraud. If the victim then contacted Starbucks, the account would be shut down.

But any victim who is traveling and has email access only on her phone would not receive that fraud alert from Starbucks, and that might give the thief plenty of time to run up big charges.

Asked about that particular scenario, Garner, the Starbucks CIO, said, "What you've described is fair, at a high level. From a design perspective, this could have potentially happened." He declined commenting on more specifics because "we're getting into security measures."



Our Commenting Policies