Starbucks App Exposes Passwords

Make sure you keep your mobile phone close while at your neighborhood coffee shop. In the posting to SecLists.org security researcher Daniel Wood describes a vulnerability in the iOS version of the popular Starbucks app used by more then 10 million customers worldwide.

According to disclosure the app stores user credentials (username, email address and password) in a clear text form in the easily accessible file.

"Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users' own device or online at https://www.starbucks.com/account/signin. It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service," writes Wood.

In his posting Daniel is quoting the OWASP Mobile Top 10 Best Practices for Insecure Data Storage which calls for "never storing credentials on the phone file system" and using data encryption when sensitive data storage is necessary.

Starbucks spokeswoman Linda Mills called the likelihood of the vulnerability being exploited, "very far fetched," according to a report byCNN.

This latest disclosure joins a previously discovered vulnerability in the Starbucks’ barcode-based mobile payment service, where a "hacker," the VP of sales and marketing at a Florida-based POS solutions company demonstrated how the payment service could be compromised in 90 seconds.

Whitepaper: Mobile App Security for Extended Enterprise