One of the world’s most popular mobile payment applications, the Starbucks app, was recently outed by a little known security researcher named Daniel Wood for openly storing plaintext passwords on the mobile devices of their customers.
The app, which enables you to quickly pay for their drinks and pastries through the streamlined Starbucks interface, is supposedly archiving the usernames and passwords of its users on iOS and Android phones. The primary reason for this slip up is, simply put: convenience over caution.
“A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud. Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn’t overexpose their consumers and their brand.”
Because the majority of Starbucks customers are concerned with getting in and out of the shop as quickly and efficiently as possible during their morning commute, the designers of the software decided that instead of requiring users to re-enter their credentials every time they order a drink, the sensitive data would instead be stored after the first entry, thereby saving time and energy on behalf of the coffee connoisseur who always finds themselves on the go.
Perhaps most surprisingly, according to the CIO and Chief Digital Officer of Starbucks, this is something the company has known about for several months, claiming the team was “aware” of the issue, and that it was “not news to them” when the story finally broke. Supposedly Wood spent upwards of two weeks attempting to alert upper management to the security flaw, only to be met with customer service representatives and unreturned calls. Frustrated, he decided to post his findings on a netsec community board, which then blew up on Twitter and finally prompted a response from the caffeinated conglomerate.
Representatives for the company have come forward to reassure their customers that the vulnerability has since been patched, and that from now on if you want to order a drink over their servers you will be required to enter your information before each and every purchase.