Starbucks Mobile Payments App Caught Storing Passwords in Plain Text
Published on: 16th Jan 2014
Note -- this news article is more than a year old.
The coffee chain Starbucks has confirmed that a mobile payment app that it offers to customers in the USA has been storing user account details in plain text without any form of encryption.
The information was also stored in such a simple manner that anyone who could hook their mobile phone to a computer would be able to extract the username and password details from a simple file stored on the handset.
Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman both confirmed to ComputerWorld that they were aware that their mobile payments app was storing customer information in plain text.
The passwords are not transmitted by the handsets, so the only way they could be extracted is if a hacker had physical access to the phone, but in such a situation, they would be able to easily extract the data.
The other main concern is that the app also logs the users location, and that information is also being stored in a plain text file that anyone could access and read.
Starbucks says that it has since added layers of additional security to protect customers, but declined to say what those are.
On the web: ComputerWorld