Brotman didn't specifically say that the passwords are no longer appearing in clear text. About two hours after Brotman and Garner discussed the security hole, Wood reran his tests on an updated Starbucks app, using the current iOS version, and passwords and usernames were still fully visible in clear text. This time, though, he also noticed a geolocation history file, detailing his latitude and longitude numbers for every time he asked the app to find a store.
"If you grab someone's phone, you can effectively go through this log and see effectively where this person has been," Wood said. "It's a bad thing for user privacy."
Although it is certain that Starbucks' policies permitted the clear text, the file that displayed is actually part of a capture done by a third-party crash analysis app from a company called Crashlytics, which was purchased by Twitter last year. Neither Crashlytics nor Twitter returned emails and voicemail messages seeking comment.
How do the clear-text passwords endanger shoppers? A thief would need to first steal — or at the very least borrow for 30 minutes or so — a victim's phone. If the thief could access the phone's data, either because it had no PIN protection or the thief knew the PIN, he could easily get the victim's Starbucks username and password. With those in hand, the thief could charge items to the victim's account, until all the stored value is used up.
The thief could potentially steal far more if the victim had activated an auto-replenish option, which would allow the app to repeatedly access the victim's bank account to continually add more money to the Starbucks account. Brotman said that any request for more bank funds would trigger a message to the victim — he said it would probably be an email — which could alert the victim to the fraud. If the victim then contacted Starbucks, the account would be shut down.
But any victim who is traveling and has email access only on her phone would not receive that fraud alert from Starbucks, and that might give the thief plenty of time to run up big charges.
Asked about that particular scenario, Garner, the Starbucks CIO, said, "What you've described is fair, at a high level. From a design perspective, this could have potentially happened." He declined commenting on more specifics because "we're getting into security measures."
I know it has to be frustrating to mount a defense in those terms. Executives like Garner are forced to say, in effect, "We've got this all taken care of, but I can't tell you how we've done that because we can't talk about our specific security measures." But Gartner's Litan isn't buying Starbucks' soft soap. "They can come up with any rationale that they want to," she said. "It's just bad security practice. You don't store passwords in the clear. Ever."
Sign up for CIO Asia eNewsletters.