Starbucks iOS app storing user credentials in plain text
Watch out, coffee drinkers. If you are one of those 10 million Starbucks customers, who purchases drinks and food directly from their Smartphones, this news is for you!
Learn Insider Threat Detection with Application Response Strategies

Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.

Join Now

If you use Starbucks' official iOS app, you should know that the company is not encrypting any of your information, including your password.

The app allows the Starbucks customers to check their balance, transaction history, fund transfer, and store location, etc.

A Security researcher Daniel E. Wood found a vulnerability (CVE-2014-0647) in STARTBUCKS v2.6.1. iOS mobile application, that stores your credential details and GPS locations in plain text format into the file system.

To extract the information from the mobile, an attacker just needs to connect the device to a computer and accessing 'session.clslog' file from the location given below:
The vulnerability, however, requires that the hacker has physical access to your phone, but a successful hack would grant the hacker access to the customer's money on the account.

If you are using your email password as the same Starbucks account password, please change it on first priority.

Without wasting time Starbucks issued a statement accepting the vulnerability in its mobile application, "We are aware" of the problem and that security measures have been taken to ensure that "usernames and passwords are safe.".

"We'd like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised." and asking its customers to report any theft or fraud occurred due to this vulnerability.

These kinds of vulnerability are caused because of novice development practices and lack of black box testing of the product developed. Companies should invest an extra bit for securing their applications which are directly linked to finance and users' personal data.

Mobile users are recommended to use strong device PINs, of over four characters and using both letters and numbers to protect data from such flaw.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.