Passwords Flow Freely at Starbucks
Starbucks' mobile app makes it quick and easy for customers to make a purchase -- but it makes it almost as quick and easy for ne'er do wells to unlock user name and password combinations on victims' phones. Starbucks has said it is addressing the problem and insists that no customers have been hurt because of it, but the company has not yet provided specifics on any action it has taken.
Jan 16, 2014 1:00 PM PT
Starbucks has admitted storing users' passwords in plain text on its mobile apps, creating security and privacy risks.
Anyone with access to a customer's phone could obtain that person's user name, password and email address by connecting the device to a computer and opening a file. The clear text also displays a string of geolocation data that could put customer privacy at risk, according to Computerworld.
Ease of Payment
The app allows users to quickly pay for their purchases at a Starbucks outlet, without having to re-enter their password each time they use it. They only have to enter their password once, when they are setting up the payment function in the app, and then they can make as many purchases as they wish without having to input their login information again. They need to use their password only when adding funds to their digital wallet.
In other words, the password is stored on the user's mobile device for the sake of convenience. That inherently carries security risks, but those risks are magnified by Starbucks' practice of storing the information in an easily obtainable plain text format.
With access to user names and passwords, a thief could make purchases until the customer's digital wallet was emptied.
The plain text issue (specifically in the iOS app, though Starbucks has an Android app as well) was first highlighted by security researcher Daniel Wood. Although he contacted Starbucks regarding the issue several times since mid-November, he was directed to customer service. Wood published his research this week.
The company has made changes that address the issue, it said, but it did not disclose to Computerworld exactly what those measures were.
Wood reportedly was able to access the customer information through the same method after Starbucks executives said the company had taken action to safeguard customer information.
"Our customers' security is our utmost priority, and we take these types of concerns seriously," Starbucks spokesperson Maggie Jantzen told TechNewsWorld. "It's important to note that there is no known impact to customers or indication that any customer information has been compromised."
'Abundance of Caution'
Starbucks has been working to speed up development of an app update to add extra protection "out of an abundance of caution," CIO Curt Garner said in a note aiming to assure customers that their information is protected.
This is the first time Starbucks will have updated its iOS app since May 2013.
The Starbucks debacle is the latest blow to consumer privacy and security, after tens of millions of Target customers' payment card data and personal information -- including names, mailing addresses, and email addresses -- were obtained by hackers.
Adobe also has been targeted, with hackers acquiring the customer data of as many as 38 million people, the company revealed last fall.
Same Password Issue
While the Starbucks issue is not quite as extensive as the security mishaps at those other two companies, many customers use the same email and password combination for a multitude of accounts, potentially putting accounts they use on other services -- including banking -- at risk.
"Many people only have one, two, if they're lucky maybe three passwords that they use on 95 percent of their accounts," Aaron Titus, chief privacy officer at Identity Finder, told TechNewsWorld. "Knowing the user name and password combination for one can unlock many others. If you use the same user name and password for Gmail as you do for your bank account and Gmail is hacked, you've got a serious problem."
Titus also explained that while adding the code that would hash (or convert the passwords to a shorter string of characters representing the full text) the user information is relatively simple, it has a knock-on effect to the rest of the app's code, since it's used to dealing with plain text passwords, rather than hashed ones.