back to article Someone stole your phone? Now they'll have your STARBUCKS password – the horror!

Starbucks has been called out after its smartphone app was caught storing unencrypted passwords on the mobe's file system. The lazy programming was revealed yesterday by security researcher Daniel Wood after he poked around the expensive warm-milk vendor's iOS application. The stored plaintext password is used to log into the …


This topic is closed for new posts.
  1. SVV


    Why on earth would you have a "starbucks password" on your ayephone?

    Are you such a fashion victim that you just feel so cool and with it as you swan into your tiresome chain coffee supping store that you feel defines your "lifestyle" as much as your choice of gadgetry and feel the need to flash your pricey gadget at the till rather than handover some coins or pay with your cashcard?

    The damage caused by someone who stole your blingmobe being able to go and get as much free pretentiously named coffee as they want for a day or so before you disable your phone must be heartbreaking.

    1. BongoJoe

      Re: Perfect

      Spoonfed lifestyle not of your making, you mean?

    2. Anonymous Coward
      Anonymous Coward

      Re: Perfect

      'cashcard'? Ooh get you and your anti-establishment rhetoric.

    3. Alan 6

      Re: Perfect

      I think the password is for the Starbucks WiFi rather than paying for the warm milky stuff

      1. You have not yet created a handle

        Re: Perfect

        "I think the password is for the Starbucks WiFi rather than paying for the warm milky stuff"

        From article: "The stored plaintext password is used to log into the user's online Starbucks account"

        To me that say it stores the password to the Starbucks account. The account used to collect loyalty rewards and also pay at the till with your pre-paid account. I guess the email address would be there somewhere too.

    4. Lamont Cranston

      Re: Perfect

      Isn't this less about "the need to flash your pricey gadget" and more about running a customer loyalty scheme without handing out physical loyalty cards?

      Game run a similar scheme (they've replaced my loyalty card with a QR code in the mobile app), and I'm quite pleased not to have to clutter up my wallet with anymore plastic. I certainly don't get any sort of validation from waving my outdated mobile at the staff.

  2. Kevin McMurtrie Silver badge

    There's a better way to do it wrong

    Run the plain text password through a one-way hash, base64 encode it, store that as your login, and modify the servers to do the same.

  3. dssf

    Did the developer wake up but not...

    Smell the coffee?

    1. Anonymous Coward
      Anonymous Coward

      Re: Did the developer wake up but not...

      Nice try - but this was Starbucks ...

  4. Mark 85

    It makes you wonder that if the app stores it in plaintext, and it must be transmitted in plaintext and the servers.... hmm... Let's see if Starbucks gets hit like Target did.

  5. 's water music

    > The company is also asking users to directly report any believed or suspected account theft or fraud attempts.

    Yeah, about that daily macchiato I have been ordering for the last three years? It wasn't me, can I get, like, a refund?

  6. Anonymous Coward
    Anonymous Coward

    Not so trivial

    Seems to me that the real risk of the plaintext password is for folks who use the same password for all their accounts. There are plenty of them.

  7. Velv

    So they were lax in storing it on client devices - that's amateurish, schoolboy coding.

    The BIG question is what have they done at the server end - just how insecure is the network, the OS, the database. Multi-layered security - probably not. If they can get the client so wrong, what confidence level do we conclude about their core infrastructure.

  8. ukgnome
    Thumb Up

    The company is also asking users to directly report any believed or suspected account theft...

    Dear Starbucks - your coffee is over priced, you are stealing hard earned $£

    Theft Reported!

  9. taxman

    For once

    no mention of Android

    1. Ommerson

      Re: For once

      If they made the same mistake on Android, this attack will be much worse, simply because getting into the filing system of the device is potentially so much easier.

  10. Swarthy
    Thumb Up

    expensive warm-milk vendor

    That's what I've been telling people for YEARS! I am glad someone else has noticed (and judging from the comments above, a fair few have).

    I dream that one day enough people will notice, and we can start having real coffee in shops again.

  11. PaulR79

    The scripted reply to all security issues

    "We'd like to be clear: there is no indication that any customer has been impacted"

    There never is until you find some.

  12. Anonymous Coward
    Anonymous Coward

    Aye stolen off phone

    Quite obviously its 'only a phone' when its an iPhone gone pear shaped.

  13. MachDiamond Silver badge

    When in doubt, don't.

    Pay cash. Avoid all store loyalty programs. Don't use public wi-fi.

This topic is closed for new posts.

Other stories you might like