Starbucks says app is now fixed
NEW YORK (CNNMoney) — Starbucks said it has fixed its mobile app that left customers’ passwords open to attack.
The hugely popular app, which allows Starbucks customers to purchase drinks and food directly from their smartphones, had been saving customers’ usernames, passwords and other personal information in plain text.
That meant a hacker could have picked up a left-behind phone, plugged it into a laptop and easily recovered a Starbucks customer’s password without even knowing the smartphone’s PIN code.
Starbucks acknowledged the vulnerability this week. It said that no customers had claimed to have been hacked as a result.
On Thursday night, Starbucks said it pushed out an updated version of its mobile app for iOS that “adds extra layers of protection.” The Android app does not have the security flaw, the company said.
Exploiting the issue wouldn’t have been easy. To access a customer’s password, a hacker needed to be in possession of the phone, have a computer handy, and know how to access the file.
If a hacker did obtain the password, it would allow him access to money stored in the customer’s Starbucks account. Customers could be at greater risk if they use the same password for other sites.
The issue was first exposed by security researcher Daniel Wood, a Starbucks customer who said he tested the app to see if his information was secure.
“The application is storing the users’ information — everything from your full name to your address to your username and password as well as your email address,” he told CNNMoney earlier this week.
Wood disclosed the issue in an online posting after approaching the company in December without a response from technical teams. After the issue became public, he was contacted by Starbucks. On Tuesday, his post was reported by the technology site ComputerWorld.