Computerworld reports that Starbucks has admitted that login details were stored in clear text, and was not encrypted in their iPhone app, one of the most used mobile payment apps in the U.S.
The vulnerability was discovered by security researcher Daniel Wood. He published the details of the vulnerability online after he was not successful in contacting Starbucks even after repeated attempts.
The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.
Starbuck claims that it has made changes at its end to mitigate the issue, however Woods reports that the problem still exists in the latest version of Starbucks mobile app.
Though it doesn’t seem to be a major risk, as someone with malicious intent still needs to get access to your iPhone to be able to get access to your login details stored in clear text, we expect a lot more from Starbucks.