Apple By Matthew Humphries Jan. 16, 2014 11:10 am
If you’re a regular visitor to Starbucks, chances are you have one of their cards or their smartphone app to make paying easier with the incentive of collecting points. Those points mean prizes in the form of regular free drinks and discounts.
If you use the Starbucks app, though, you’re actually putting your personal information and account password at risk. That’s because it has been discovered the app stores all your personal information unencrypted.
Daniel Wood, a security researcher and Starbucks customer discovered the lack of security when he tested the app out of curiosity. He found a user’s name, address, username, and password were all stored in plain text. If you are in possession of someone’s phone with the Starbucks app installed, you can easily access the information via a PC.
Starbucks has acknowledged that this is indeed the case, but doesn’t really view it as a major security flaw. Apparently no customer has been hacked in this way, and in order to collect the information you need to steal someone’s phone and have a PC handy, and then you are limited in what you can do once you have the information. The official line is that this is a “very far fetched” exploit.
While Starbucks might not view it as a serious threat, gaining access to someone’s personal details is a serious issue and can lead to identity theft. Funds could also be moved on to a person’s Starbucks account without their knowledge and then spent by the hacker. There’s also the issue of password reuse, which many people do, meaning other accounts could be exposed to hacking through this information retrieval.
The simple solution would be to update the Starbucks iOS and Android apps to add encryption, but for now Starbucks hasn’t stated its intention to do this. Instead, the company will continue to monitor potential threats and update accordingly. Dependent on how much upset this lack of encryption causes, their hand may be forced, however.
More...
If you use the Starbucks app, though, you’re actually putting your personal information and account password at risk. That’s because it has been discovered the app stores all your personal information unencrypted.
Daniel Wood, a security researcher and Starbucks customer discovered the lack of security when he tested the app out of curiosity. He found a user’s name, address, username, and password were all stored in plain text. If you are in possession of someone’s phone with the Starbucks app installed, you can easily access the information via a PC.
Starbucks has acknowledged that this is indeed the case, but doesn’t really view it as a major security flaw. Apparently no customer has been hacked in this way, and in order to collect the information you need to steal someone’s phone and have a PC handy, and then you are limited in what you can do once you have the information. The official line is that this is a “very far fetched” exploit.
While Starbucks might not view it as a serious threat, gaining access to someone’s personal details is a serious issue and can lead to identity theft. Funds could also be moved on to a person’s Starbucks account without their knowledge and then spent by the hacker. There’s also the issue of password reuse, which many people do, meaning other accounts could be exposed to hacking through this information retrieval.
The simple solution would be to update the Starbucks iOS and Android apps to add encryption, but for now Starbucks hasn’t stated its intention to do this. Instead, the company will continue to monitor potential threats and update accordingly. Dependent on how much upset this lack of encryption causes, their hand may be forced, however.
More...