Starbucks Mobile App Stored Users’ Passwords in Potentially Vulnerable Ways [Updated]

By
Check your account settings.
Check your account settings. Photo: Starbucks

Last fall, security researcher Daniel Wood discovered major flaws in Starbucks’s mobile payment app, which happens to be the most-used app of its kind in the U.S. Naturally, Wood contacted Starbucks, and when the coffee chain put him on hold endlessly in attempt to patch him through to customer service, Wood did what good hackers everywhere do to advance the cause: He posted some of his research online. Essentially, what Wood had figured out was that the coffee chain’s app had been designed to store several key points of data — including username, password, and geolocation details — in plain text, making that information vulnerable to theft.

Check your account settings.
Check your account settings. Photo: Starbucks


Evan Schuman: Starbucks caught storing mobile passwords in clear text
[Computerworld]
Related: Air Force Colonel: Starbucks Wi-Fi More Secure Than Pentagon Computers

* This post has been updated throughout.

Starbucks said there are new and improved security features in place, but declined to get into specifics. Today, the chain posted a letter on its website stating it was "working to accelerate the deployment of an update for the app that will add extra layers of protection."

Earlier this week, Wood says he tried the app once again after being told about what had been described as a patch. The result? He was still able to see his username and password in clear, unencrypted text, this time with more nuanced (and potentially troublesome) geolocation data. That might be particularly bad news, for instance, for the espresso-loving Air Force colonel who suggested in court last year that the wireless networks at Starbucks were more secure than the Pentagon’s.

Update, January 17: Starbucks has released an updated version of their mobile app for iOS, and a representative sends along these accompanying details:

1. We have no indication that any customer has been impacted by this or that any information has been compromised

2. Earlier this week we added safeguards to protect against the theoretical vulnerabilities raised by Daniel Wood

3. Yesterday we released an update for the app that will add extra layers of protection, and are encouraging customers to download it as an additional safeguard


Evan Schuman: Starbucks caught storing mobile passwords in clear text
[Computerworld]
Related: Air Force Colonel: Starbucks Wi-Fi More Secure Than Pentagon Computers

* This post has been updated throughout.