Starbucks app leaves passwords vulnerable

Posted at 9:23 PM, Jan 15, 2014

NEW YORK (CNNMoney) — Starbucks’ mobile app leaves customers’ passwords open to attack, according to a research report.

The popular app, which allows Starbucks customers to purchase drinks and food directly from their smartphones, saves customers’ usernames, passwords and other personal information in plain text. That means a hacker could pick up a left-behind phone, plug it into a laptop and easily recover a Starbucks customer’s password without even knowing the smartphone’s PIN code.

Starbucks spokeswoman Linda Mills acknowledged the vulnerability and said the possibility of the vulnerability being exploited is “very far fetched.”

Mills and Jim Olson, another Starbucks spokesman, said no customers have claimed to have been hacked as a result.

“Obviously the security of our customers’ information is of the utmost importance to Starbucks and we’re monitoring for any risks and vulnerabilities,” Olson said.

Exploiting the issue wouldn’t be easy. To access a customer’s password, a hacker needs to be in possession of the phone, have a computer handy, and know how to access the file.

If a hacker does obtain the password, it would allow him or her access to money stored in the customer’s Starbucks account. Customers could be at greater risk if they use the same password for other sites.

Starbucks could not say that the app, which is available for Apple and Google Android devices, has been updated to fix the issue. The Apple version was last updated in May 2013, and Android users could last update the app in September, according to the respective app stores.

Olson declined to answer specific questions on updates but said Starbucks is “always evolving and enhancing our systems to ensure that our systems are secure.”

The issue was first exposed by security researcher Daniel Wood, a Starbucks customer who said he tested the app to see if his information was secure.

“The application is storing the users’ information — everything from your full name to your address to your username and password as well as your email address,” he told CNNMoney.

Wood disclosed the issue in an online posting after approaching the company in December without a response from technical teams. After the issue became public, he was contacted by Starbucks. On Tuesday, his post was reported by the technology site ComputerWorld.

Olson said Starbucks had reached out to Wood regarding his report. The Starbucks apps are used by about 10 million customers, Olson said.