View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. News
  2. Company news
January 16, 2014updated 04 Apr 2017 4:09pm

Starbucks app stored payment credentials in cleartext

Starbucks executives have confirmed that the coffee chain's mobile payment app has been storing payment credentials in cleartext.

By Ellie Chambers

Starbucks executives have confirmed that the coffee chain’s mobile payment app has been storing payment credentials in cleartext.

The app, the most widely used mobile payment app in the US, had been storing usernames, email addresses and passwords without them being encrypted, meaning anyone could access the credentials by connecting the phone to a computer.

Starbucks chief digital officer Adam Brotman admitted executives were aware of the issue, saying: "We were aware – this was not something that was news to us."

Some in the security industry have criticised Starbucks for prizing customer convenience over security.

The Starbucks app only requires the customer to enter credentials once to activate the payment option and then enter the password again when adding money.

Although this means customers do not have to go through re-entering data when making a purchase, the credentials then have to be stored on the phone.

The issue was first revealed by security researcher Daniel Wood, who published some of his researcher 13 January after unsuccessfully trying to contact Starbucks.

Brotman played down customer fears over security, saying Starbucks had added "extra layers of security", without specifying what these "extra layers" were.

However, Wood challenged this dismissal of the security flaws, saying he had re-run tests on an updated Starbucks app with the same results.

This time, Wood also realised that the app had a geolocation history file in cleartext which gave his co-ordinates every time he used the app to locate his nearest Starbucks.

Wood said: "If you grab someone’s phone, you can effectively go through this log and see effectively where this person has been. It’s a bad thing for user privacy.

"You don’t need a user’s PIN in order to pull raw data off the phone using the tool and methods I have used," he added.

"So if a user’s phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file."

Responding to Wood’s findings, Curt Garner, the Starbucks CIO, said, "What you’ve described is fair, at a high level. From a design perspective, this could have potentially happened."

He declined to make any more specific comments, saying he could not talk about security measures in any more detail.


Related articles:

Telefónica Digital and Bango team up for direct-to-bill payments for mobile app stores

US Spindle partners with Canadian Signifi for m-payments at vending machines

Vantiv, AT&T to offer new mobile payments solutions for businesses

NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. A weekly roundup of the latest news and analysis, sent every Wednesday.
I consent to GlobalData UK Limited collecting my details provided via this form in accordance with the Privacy Policy


Thank you for subscribing to Electronic Payments International