The most used mobile-payment application in the United States has been storing usernames, email addresses, passwords, and even location data in plain text, Starbucks executives confirmed.
Since the information is not encrypted (and therefore stored in plain text) anyone can simply connect the phone to a computer and view the credentials. No jailbreak is requires since the folder is public.
"A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud," said Charlie Wiggs, general manager and senior vice president for U.S. markets at mobile vendor Mozido. "Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn't overexpose their consumers and their brand."
"Yes, it does surprise me," said Gartner security analyst Avivah Litan. "I would have expected more out of Starbucks. At least they should have informed consumers."
And apparently Starbucks could have done that. Two executives -- Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman -- said in a telephone interview that they have known for an unspecified period of time that the credentials were being stored in clear text. "We were aware," Brotman said. "That was not something that was news to us."
Daniel Wood, the security researcher that found the unecryped information says he has tested this on the latest version of the app, which Starbucks claims includes 'adequate security measures.' Unfortunately, Wood found the information is still easily accessible, although, a thief would still need the phone to take advantage of it.
We're still unsure if Starbucks will fix this issue, since it does bring 'convenience' to users by not forcing them to enter a password every time.
Read More via Computer World
Starbucks App Download
Since the information is not encrypted (and therefore stored in plain text) anyone can simply connect the phone to a computer and view the credentials. No jailbreak is requires since the folder is public.
"A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud," said Charlie Wiggs, general manager and senior vice president for U.S. markets at mobile vendor Mozido. "Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn't overexpose their consumers and their brand."
"Yes, it does surprise me," said Gartner security analyst Avivah Litan. "I would have expected more out of Starbucks. At least they should have informed consumers."
And apparently Starbucks could have done that. Two executives -- Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman -- said in a telephone interview that they have known for an unspecified period of time that the credentials were being stored in clear text. "We were aware," Brotman said. "That was not something that was news to us."
Daniel Wood, the security researcher that found the unecryped information says he has tested this on the latest version of the app, which Starbucks claims includes 'adequate security measures.' Unfortunately, Wood found the information is still easily accessible, although, a thief would still need the phone to take advantage of it.
We're still unsure if Starbucks will fix this issue, since it does bring 'convenience' to users by not forcing them to enter a password every time.
Read More via Computer World
Starbucks App Download