Starbucks executives have confirmed that the coffee chain’s mobile payment app has been storing payment credentials in cleartext.
The app, the most widely used mobile payment app in the US, had been storing usernames, email addresses and passwords without them being encrypted, meaning anyone could access the credentials by connecting the phone to a computer.
Starbucks chief digital officer Adam Brotman admitted executives were aware of the issue, saying: "We were aware – this was not something that was news to us."
Some in the security industry have criticised Starbucks for prizing customer convenience over security.
The Starbucks app only requires the customer to enter credentials once to activate the payment option and then enter the password again when adding money.
Although this means customers do not have to go through re-entering data when making a purchase, the credentials then have to be stored on the phone.
The issue was first revealed by security researcher Daniel Wood, who published some of his researcher 13 January after unsuccessfully trying to contact Starbucks.
Brotman played down customer fears over security, saying Starbucks had added "extra layers of security", without specifying what these "extra layers" were.
However, Wood challenged this dismissal of the security flaws, saying he had re-run tests on an updated Starbucks app with the same results.
This time, Wood also realised that the app had a geolocation history file in cleartext which gave his co-ordinates every time he used the app to locate his nearest Starbucks.
Wood said: "If you grab someone’s phone, you can effectively go through this log and see effectively where this person has been. It’s a bad thing for user privacy.
"You don’t need a user’s PIN in order to pull raw data off the phone using the tool and methods I have used," he added.
"So if a user’s phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file."
Responding to Wood’s findings, Curt Garner, the Starbucks CIO, said, "What you’ve described is fair, at a high level. From a design perspective, this could have potentially happened."
He declined to make any more specific comments, saying he could not talk about security measures in any more detail.