If you’re concerned about someone getting their hands on your personal data, you’ll want to read on — this latest method’s an unlikely culprit. The Starbucks mobile-payment app is reportedly saving user data, including email addresses, passwords and even your GPS location in plain text. Theoretically, anyone with access to your phone (and a computer) can download your private data with less than an hour or work. Company executives confirmed the flaw to Computerworld, admitting that they’re aware of the issue.
Daniel Wood, a security researcher, first came upon the unencrypted information last year. He downloaded and re-tested an updated version the app, which Starbucks claims now includes “adequate security measures,” only to find that the same information is still easily accessible. A log file also includes GPS coordinates that are captured every time you search for a nearby Starbucks store. Of course, the global caffeinator’s mobile application isn’t free of other weaknesses, too — payments are processed by scanning an on-screen barcode, which can be reproduced and used to drain your account by anyone close enough to photograph your phone. by engadget