Starbucks admits its iPhone app stores unencrypted user passwords

When you type a password into a mobile payment app, you’d probably expect it to protect that password somehow. But it seems that the Starbucks app for iOS doesn’t actually lock its usernames and passwords down. According to a Computerworld report, company executives admitted today that the mobile app stores passwords in clear text, with no encryption of any sort. By connecting your phone to a computer, the report claims, someone could easily retrieve your password from a crash log.

What’s more, it appears that Starbucks may not intend to actually fix the problem. While the company told both Computerworld and The Seattle Times that the company had “taken steps to safeguard customers’ information,“ it’s unclear what steps it could have taken. Daniel Wood, the security researcher who originally discovered the vulnerabiility in November, says that the latest version of the app still includes the same unencrypted passwords and usernames. Starbucks would have to update the application to fix the issue, Wood tells The Verge, and it hasn’t done that since May. “Anything they have done on their end won’t matter as the vulnerability lies within the application on end user devices,” he says.

Admittedly, a criminal would still need to have physical possession of a user’s phone to make use of the vulnerability, which is a fairly high bar to clear, and here it’s only usernames, passwords, and email addresses at risk. Wood says that the Subway Ordering for California app, which lets users build sandwiches to order, stores the complete street address, credit card info, email address, and geolocation of its users in plain text.

Update: Starbucks says it will update its app to no longer store passwords in cleartext.