Coffee chain Starbucks is taking fire over a revelation that their iOS payment app stores customers’ login information in plain text. The good news is that any exploit of the vulnerability would require physical access to your device.
Security researcher Daniel Wood publicly disclosed the vulnerability, which would require an attacker to have physical access to the device, on Monday. Wood told Computerworld that he first contacted Starbucks to report the flaw last November and only went public after the company failed to act.
The issue is a log file that is generated for crash reporting. The file, created using technology from Twitter-owned crash reporting analytics firm Crashlytics, contains unencrypted versions of the customer’s username, password, and email address. The file can be retrieved from your handset, even if it is locked with a security code.
Starbucks has acknowledged the vulnerability, and says they have made changes to fix the problem. However, Wood says he took a look at the app following Starbucks reassurances, and found that the credentials were still available.
While this vulnerability may be limited in its exposure of customer credentials, users are still urged to beware the evils of using the same login and password across various services. By using the information gleaned from a vulnerability such as the one found in the Starbucks app, attackers could possibly access other accounts held by customers.