The coffee giant behind the most used mobile-payment app in the U.S. has been storing users’ passwords in clear text without any encryption, making information tied to the app including credit card numbers, email addresses and location data highly vulnerable to theft.
In a Wednesday Computerworld report Starbucks confirmed late Tuesday that anyone could access the unencrypted data stored on the official Starbucks app simply by connecting the phone to a computer – bypassing lock screen or PIN security features with no hacking or jailbreaking necessary.
Convenience is apparently the only reason for the lax security. Users need only to put their password in once after creating a Starbucks account to use the app seamlessly for purchases at Starbucks locations. Customers often tie their credit cards to the app to pay on the go without having to manually reload their account.
If the information wasn’t stored on the app, users would have to type in their password every single time they wanted to use it to pay for a purchase.
The app also has a location data tracking capability, which allows users to look up nearby Starbucks locations and saves their personal location at the time of the search.
With all of its features combined, the app stores a potentially dangerous amount of data were a customer’s phone to fall into the wrong hands – even for a short time. Thieves would only have to borrow a customer’s phone, look up and copy the data, and then return the phone, alleviating the suspicion that data might be in danger.
According to Computerworld, Starbucks executives were fully aware of how the app functions, and declined to inform customers until security researcher Daniel Wood found the flaw and tried contacting the company for months starting in November. When no one from Starbucks returned his repeated requests to talk, Wood published his findings on Monday.
Shortly after Starbucks responded with an app update, stating that customers’ information was safe as a result of the company adding unspecified “extra layers of security.”
But Woods downloaded the update and plugged his phone into his computer to check — and all of the data was still accessible in clear text, without any significant changes.
If their data is compromised, Starbucks customers could have more to lose than their privacy and credit cards. Numerous security experts say as many as 20 percent of consumers use the same passwords across multiple online usernames and bank accounts.
The Starbucks security risk comes weeks after it was revealed major retailer Target lost the credit card information of up to 70 million customers in a massive electronic security theft during the busiest shopping quarter of the year, meaning Starbucks may have to take serious steps to address users’ security concerns, or risk losing customers.