The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.
The thief could potentially steal far more if the victim had activated an auto-replenish option, which would allow the app to repeatedly access the victim’s bank account to continually add more money to the Starbucks account. Brotman said that any request for more bank funds would trigger a message to the victim — he said it would probably be an email — which could alert the victim to the fraud. If the victim then contacted Starbucks, the account would be shut down.
Read the full article @ Computer World.