Starbucks has been called out after its smartphone app was caught storing unencrypted passwords on the mobe's file system. The lazy programming was revealed yesterday by security researcher Daniel Wood after he poked around the expensive warm-milk vendor's iOS application. The stored plaintext password is used to log into the …
Why on earth would you have a "starbucks password" on your ayephone?
Are you such a fashion victim that you just feel so cool and with it as you swan into your tiresome chain coffee supping store that you feel defines your "lifestyle" as much as your choice of gadgetry and feel the need to flash your pricey gadget at the till rather than handover some coins or pay with your cashcard?
The damage caused by someone who stole your blingmobe being able to go and get as much free pretentiously named coffee as they want for a day or so before you disable your phone must be heartbreaking.
Spoonfed lifestyle not of your making, you mean?
'cashcard'? Ooh get you and your anti-establishment rhetoric.
I think the password is for the Starbucks WiFi rather than paying for the warm milky stuff
Isn't this less about "the need to flash your pricey gadget" and more about running a customer loyalty scheme without handing out physical loyalty cards?
Game run a similar scheme (they've replaced my loyalty card with a QR code in the mobile app), and I'm quite pleased not to have to clutter up my wallet with anymore plastic. I certainly don't get any sort of validation from waving my outdated mobile at the staff.
"I think the password is for the Starbucks WiFi rather than paying for the warm milky stuff"
From article: "The stored plaintext password is used to log into the user's online Starbucks account"
To me that say it stores the password to the Starbucks account. The account used to collect loyalty rewards and also pay at the till with your pre-paid account. I guess the email address would be there somewhere too.
There's a better way to do it wrong
Run the plain text password through a one-way hash, base64 encode it, store that as your login, and modify the servers to do the same.
Did the developer wake up but not...
Smell the coffee?
Re: Did the developer wake up but not...
Nice try - but this was Starbucks ...
It makes you wonder that if the app stores it in plaintext, and it must be transmitted in plaintext and the servers.... hmm... Let's see if Starbucks gets hit like Target did.
> The company is also asking users to directly report any believed or suspected account theft or fraud attempts.
Yeah, about that daily macchiato I have been ordering for the last three years? It wasn't me, can I get, like, a refund?
Not so trivial
Seems to me that the real risk of the plaintext password is for folks who use the same password for all their accounts. There are plenty of them.
So they were lax in storing it on client devices - that's amateurish, schoolboy coding.
The BIG question is what have they done at the server end - just how insecure is the network, the OS, the database. Multi-layered security - probably not. If they can get the client so wrong, what confidence level do we conclude about their core infrastructure.
The company is also asking users to directly report any believed or suspected account theft...
Dear Starbucks - your coffee is over priced, you are stealing hard earned $£
no mention of Android
Re: For once
If they made the same mistake on Android, this attack will be much worse, simply because getting into the filing system of the device is potentially so much easier.
expensive warm-milk vendor
That's what I've been telling people for YEARS! I am glad someone else has noticed (and judging from the comments above, a fair few have).
I dream that one day enough people will notice, and we can start having real coffee in shops again.
The scripted reply to all security issues
"We'd like to be clear: there is no indication that any customer has been impacted"
There never is until you find some.
Aye stolen off phone
Quite obviously its 'only a phone' when its an iPhone gone pear shaped.
When in doubt, don't.
Pay cash. Avoid all store loyalty programs. Don't use public wi-fi.
- Product round-up Coming clean: Ten cordless vacuum cleaners
- Episode 13 BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK
- Worstall @ the Weekend BIG FAT Lies: Porky Pies about obesity
- Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!