Starbucks has confirmed a finding by security researcher Daniel Wood that both username and password in its iOS app are stored in plain text.

It’s not the big deal some are making it out to be – to make use of it, someone would need physical access to your unlocked iPhone, in which case you likely have bigger things to worry about than someone being able to order tall skinny lattes on your dime. Additionally, as Engadget observes, a far easier hack by someone with access to your phone would simply be to take a photo of the on-screen barcode used to authorise payments.

All the same, it is pretty poor design on the part of a payment app from a major company, and it’s surprising that Starbucks apparently has no plans to fix it with an updated app.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

7 Responses to “Starbucks confirms that its iOS app stores passwords in plain text”

  1. Sitting in Starbucks reading this, after I just used my APP to pay for it. :) I wonder if you use the Passbook on the iPhone instead of the actual Starbucks APP you can avoid that?


    • I think the only authentication occurs when you actually log into your account to refresh the balance on your card, not making purchases since they use the same kind of gift card number system as most companies.


  2. jlword says:

    Seem that iOS has been plagued with security issues, going back to the finger print scanner hack, the recent in-app purchase issue that Apple is paying for, now this app issue among others.


    • Ben Lovejoy says:

      There wasn’t really a security issue with in-app purchases – that was parents failing to use the security provided. The Touch ID hack is also not something ordinary users would ever need to worry about: it required way too much effort and time.


      • jlword says:

        True to some extent regarding in-app purchases. But any access to what is assumed to be restricted data or functionality by anyone other than the intended authorized user is fundamentally a security issue. Apple acknowledges responsibility for this problem by paying millions to resolve the issue and making changes to preclude it from happening again. It is reasonable to conclude that if fixes can be implemented post-problem to keep this from occurring again, that the initial implementation could, or better, should have been such to keep this, in-app out purchase fiasco from occurring in the first place. I am inclined to believe that millions of dollars later, likely millions of offended customers later and massive bad PR blitz later there is someone at Apple who feels the initial implementation should have been such to make the system more secure rather than implementing security-enhancing fixes post-problem.


    • It one thing to mention overall iOS security issues and another to wrap all of that into a whole because of one poorly written app. iOS as an OS hasn’t been plagued with any major security issues for awhile.

      The Starbucks app hasn’t been updated in ages and wouldn’t even classify as an iOS7 app in my opinion since it still have an old iOS design style. It’s shocking that a large corporate company like Starbucks hasn’t updated its app since iOS7 launched and also isn’t planning a refresh of its app at this point. Disappointing.


      • jlword says:

        Because the app is within Apples iOS ecosystem it is their responsibility to ensure their customer security is not compromised by what they allow in their app store which is part of the IOS ecosystem. Apple often boasts about the security of their app store. It might be prudent if Appke, in light of this Starbucks security issue, to live up to thier toted security, and restrict the app from the app store in its current form, until Starbucks resolves the app. I’m sure Starbucks response would be swift. Apple controls its ecosystem, or at least they should. There are various factors to the ecosystem, an an app, though no written by Apple, is within Apples control to restrict from its ecosystem. They are also great marketers and are not shy with PR and can with the restriction from the app store, notify current users of the app of the issue and thier attempts to work with Starbuck toward a solution. Apples image is very important to them,and more likely than not, mist users who feel violated by this Starbuck iOS app won’t blame Starbucks but they will likely blame Apple for the breach of security or vulnerability they are exposed to while using their iPhones. Apple goal is to have the iPhone “become” many things in many situations through apps. People see the app as somewhat transparent as the “USE THIER IPHONE” to perform a task. The phone becomes the tool. If the phone is vulnerable when used at Starbucks, many ordinary, everyday users will see this as Apples problem. Again Apple has the power to address this.