Skip to main content
  1. Tech
  2. Gadgets & Tech
  3. Tech Gear

Starbucks' iOS mobile app stores geolocation data, credentials in clear text

See also

The Starbucks mobile app is the most used mobile-payment app in the U.S., but the iOS version has two big problems, and Starbucks executives confirmed them late Tuesday, as Computerworld reported.

The first issue is that the app stores the password on the device. That wouldn't be an issue, if it wasn't for the fact that the password is stored in plain text. The second issue is that the app also stores geolocation data for the user.

The issues were first posted by Daniel Wood, a Minneapolis-based security researcher and pen (penetration) tester, at’s Full Disclosure site. There, he said:

Issue: Username, email address, and password elements are being stored in clear-text in the session.clslog crashlytics log file.

Location: /Library/Caches/

Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service.

To be clear, the file in question is actually part of a log by a third-party crash analysis app from Crashlytics, which was purchased by Twitter last year.

Wood said he tried contacting Starbucks in mid-November of last year. After being stymied in terms of getting an adequate response from the company (he said he was repeatedly transferred to customer service during the following two months), he decided to go live with some of his research.

Starbucks said:

Our customers’ security is of the utmost importance to us, and we actively monitor for risks and vulnerabilities. While we are aware of the theoretical vulnerabilities outlined in this report, there is no known impact to our customers at this time. To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way.

It is unclear what these additional steps are. The iOS app has not been updated since May of 2013.

According to Wood, the data can be retrieved from a phone without knowledge of a user's device password, by connecting the device to a PC and using the same tools Wood did. Jailbreaking is not required, either.

It's unclear why the data is stored in clear text. As Computerworld says, however, although the data is stored in the log file of a different third-party app, "it is certain that Starbucks' policies permitted the clear text."


Don't Miss

  • The Crew
    'The Crew' exclusive: New details on racing types, open-world, seamlessness and more
    Games Exclusive
  • Amazon Prime
    Find out how you can share your Amazon Prime membership benefits with others
    Tech Tips
  • DayZ
    How 'DayZ' may be in trouble from Sony's newly announced 'H1Z1'
    Games Feature
  • Facial recognition
    See how the FBI's facial recognition database is continuing to grow
  • Upcoming
    These are 2014's biggest PS4, Xbox One and Wii U games
    Games Feature
  • Selfie
    A new automated mirror will take selfies and post them to social media for you
    Tech News

User login

Log in
Sign in with your email and password. Or reset your password.
Write for us
Interested in becoming an Examiner and sharing your experience and passion? We're always looking for quality writers. Find out more about and apply today!