Starbucks, the coffee mega chain appears to be under fire over their data security practices after it was recently discovered that the company’s iOS payment app doesn’t encrypt customers’ login information. Security researcher, Daniel Wood, publicly disclosed the vulnerability, which would require an attacker to have physical access to the device. Wood told the folks over at Computerworld that he first contacted Starbucks to report the flaw last November and only went public after the company failed to act.
One of the things at issue here is a log file generated by Twitter-owned crash reporting analytics firm, Crashlytics. The log file, which Wood says can be retrieved from a user’s handset even if the phone is locked with a PIN, contains unencrypted versions of the customer’s username, email address and password. Starbucks executives for their part acknowledged the vulnerability and said that they have made changes to mitigate the danger. According to Starbucks’ Chief Digital Officer Adam:
We were aware and adequate security measures are in place now. Usernames and passwords are safe.
Are you an avid Starbucks’ customer who is affected by this issue?
Source: Computerworld, SEClists