back to article Someone stole your phone? Now they'll have your STARBUCKS password – the horror!

Starbucks has been called out after its smartphone app was caught storing unencrypted passwords on the mobe's file system. The lazy programming was revealed yesterday by security researcher Daniel Wood after he poked around the expensive warm-milk vendor's iOS application. The stored plaintext password is used to log into the …

COMMENTS

This topic is closed for new posts.
SVV
Bronze badge

Perfect

Why on earth would you have a "starbucks password" on your ayephone?

Are you such a fashion victim that you just feel so cool and with it as you swan into your tiresome chain coffee supping store that you feel defines your "lifestyle" as much as your choice of gadgetry and feel the need to flash your pricey gadget at the till rather than handover some coins or pay with your cashcard?

The damage caused by someone who stole your blingmobe being able to go and get as much free pretentiously named coffee as they want for a day or so before you disable your phone must be heartbreaking.

4
2
Bronze badge

Re: Perfect

Spoonfed lifestyle not of your making, you mean?

0
0
Anonymous Coward

Re: Perfect

'cashcard'? Ooh get you and your anti-establishment rhetoric.

2
0

Re: Perfect

I think the password is for the Starbucks WiFi rather than paying for the warm milky stuff

0
0
Silver badge

Re: Perfect

Isn't this less about "the need to flash your pricey gadget" and more about running a customer loyalty scheme without handing out physical loyalty cards?

Game run a similar scheme (they've replaced my loyalty card with a QR code in the mobile app), and I'm quite pleased not to have to clutter up my wallet with anymore plastic. I certainly don't get any sort of validation from waving my outdated mobile at the staff.

0
0

Re: Perfect

"I think the password is for the Starbucks WiFi rather than paying for the warm milky stuff"

From article: "The stored plaintext password is used to log into the user's online Starbucks account"

To me that say it stores the password to the Starbucks account. The account used to collect loyalty rewards and also pay at the till with your pre-paid account. I guess the email address would be there somewhere too.

1
0
Bronze badge
Trollface

There's a better way to do it wrong

Run the plain text password through a one-way hash, base64 encode it, store that as your login, and modify the servers to do the same.

0
1
Bronze badge
Joke

Did the developer wake up but not...

Smell the coffee?

2
0
Anonymous Coward

Re: Did the developer wake up but not...

Nice try - but this was Starbucks ...

7
0
Silver badge
Facepalm

It makes you wonder that if the app stores it in plaintext, and it must be transmitted in plaintext and the servers.... hmm... Let's see if Starbucks gets hit like Target did.

3
0
Bronze badge

> The company is also asking users to directly report any believed or suspected account theft or fraud attempts.

Yeah, about that daily macchiato I have been ordering for the last three years? It wasn't me, can I get, like, a refund?

1
0
Anonymous Coward

Not so trivial

Seems to me that the real risk of the plaintext password is for folks who use the same password for all their accounts. There are plenty of them.

4
0
Silver badge
Pirate

So they were lax in storing it on client devices - that's amateurish, schoolboy coding.

The BIG question is what have they done at the server end - just how insecure is the network, the OS, the database. Multi-layered security - probably not. If they can get the client so wrong, what confidence level do we conclude about their core infrastructure.

1
0
Silver badge
Thumb Up

The company is also asking users to directly report any believed or suspected account theft...

Dear Starbucks - your coffee is over priced, you are stealing hard earned $£

Theft Reported!

2
0

For once

no mention of Android

0
0

Re: For once

If they made the same mistake on Android, this attack will be much worse, simply because getting into the filing system of the device is potentially so much easier.

0
1
Bronze badge
Thumb Up

expensive warm-milk vendor

That's what I've been telling people for YEARS! I am glad someone else has noticed (and judging from the comments above, a fair few have).

I dream that one day enough people will notice, and we can start having real coffee in shops again.

1
0
Bronze badge

The scripted reply to all security issues

"We'd like to be clear: there is no indication that any customer has been impacted"

There never is until you find some.

1
0
Anonymous Coward

Aye stolen off phone

Quite obviously its 'only a phone' when its an iPhone gone pear shaped.

0
0
Bronze badge
Boffin

When in doubt, don't.

Pay cash. Avoid all store loyalty programs. Don't use public wi-fi.

0
0
This topic is closed for new posts.

Forums