The most popular mobile payment systems in the US may also be among the leakiest. Security researcher Daniel Wood went public with his research Tuesday, revealing that the Starbucks iOS app exposes customers’ usernames, e-mail addresses, passwords, and certain location data.
The problem doesn’t arise directly from the Starbucks app. Rather, it stems from the cleartext logs maintained by the app’s crash analytics software.
The software, known as Crashlytics, allows developers to log application data for subsequent analysis in the event of an error. Crashlytics advises its partners to not log sensitive data, such as usernames and passwords. In this instance, the Starbucks app is passing user data along to the session.clslog file without any efforts to conceal it.
Woods points out that the methods he used to access the data circumvents PIN locking the device and could be accomplished with less than 30 minutes of physical access to the phone. Stolen phones would be the most likely target for this attack, and though the breach might seem limited to simply filling up on a little coffee, users that have set their accounts up to auto-replenish periodically could be at greater risk.
The habit many people have of reusing passwords could expose users to additional breaches, too.