Venti breach! —

Starbucks iOS app leaves user data in the clear

Usernames, e-mail addresses, passwords, and location data among exposed data.

Starbucks iOS app leaves user data in the clear

The most popular mobile payment systems in the US may also be among the leakiest. Security researcher Daniel Wood went public with his research Tuesday, revealing that the Starbucks iOS app exposes customers' usernames, e-mail addresses, passwords, and certain location data.

The problem doesn't arise directly from the Starbucks app. Rather, it stems from the cleartext logs maintained by the app's crash analytics software. The software, known as Crashlytics, allows developers to log application data for subsequent analysis in the event of an error. Crashlytics advises its partners to not log sensitive data, such as usernames and passwords. In this instance, the Starbucks app is passing user data along to the session.clslog file without any efforts to conceal it.

Woods points out that the methods he used to access the data circumvents PIN locking the device and could be accomplished with less than 30 minutes of physical access to the phone. Stolen phones would be the most likely target for this attack, and though the breach might seem limited to simply filling up on a little coffee, users that have set their accounts up to auto-replenish periodically could be at greater risk. The habit many people have of reusing passwords could expose users to additional breaches, too.

The breach was initially uncovered in November, and Woods said he reached out to Starbucks several times with little success. In response to questions from ComputerWorld, Starbucks Chief Digital Officer Adam Brotman said that the company has "adequate security measures in place now." With no further elaboration on what those measure might be, Woods re-ran his tests on the latest public build of the software and found that user data remains accessible in cleartext, along with location data from any instance when the user asked the app to find a nearby Starbucks.

ComputerWorld suspects that the leak is a result of valuing convenience over security concerns. By storing the account password on the device, users need only enter their password when they initially activate the app. Convenience is a key component in driving adoption to a new consumer behavior, such as using a mobile device for payments. In this case, the choice to make the transaction convenient may be exposing the users to more than just hot coffee.

Channel Ars Technica