Starbucks Mobile App Stored Users’ Passwords in Potentially Vulnerable Ways [Updated]

Check your account settings.
Check your account settings. Photo: Starbucks

Last fall, security researcher Daniel Wood discovered major flaws in Starbucks’s mobile payment app, which happens to be the most-used app of its kind in the U.S. Naturally, Wood contacted Starbucks, and when the coffee chain put him on hold endlessly in attempt to patch him through to customer service, Wood did what good hackers everywhere do to advance the cause: He posted some of his research online. Essentially, what Wood had figured out was that the coffee chain’s app had been designed to store several key points of data — including username, password, and geolocation details — in plain text, making that information vulnerable to theft.

This isn’t anything close to the level of Target’s credit-and-debit-card breach, and there isn’t any indication that users’ identities or information have been stolen, but the loophole — which would allow thieves access to accounts and data even if they didn’t know the user’s phone PIN — is nonetheless a concern, and a good general warning for customers. Basically, it would allow phone thieves to buy things from Starbucks, like a potentially hefty number of muffins and Frappuccinos, via any user who has activated the “auto-replenish” option. Also, it’s not the chain’s responsibility, but any users who reuse passwords across a variety of apps and accounts would be subject to more fraud.

For their part, representatives from Starbucks tell Computerworld that they knew about the issue. “What you’ve described is fair, at a high level,” the chain’s CIO says, acknowledging the potential for exploits. “From a design perspective, this could have potentially happened.”

Starbucks said there are new and improved security features in place, but declined to get into specifics. Today, the chain posted a letter on its website stating it was “working to accelerate the deployment of an update for the app that will add extra layers of protection.”

Earlier this week, Wood says he tried the app once again after being told about what had been described as a patch. The result? He was still able to see his username and password in clear, unencrypted text, this time with more nuanced (and potentially troublesome) geolocation data. That might be particularly bad news, for instance, for the espresso-loving Air Force colonel who suggested in court last year that the wireless networks at Starbucks were more secure than the Pentagon’s.

Update, January 17: Starbucks has released an updated version of their mobile app for iOS, and a representative sends along these accompanying details:

1. We have no indication that any customer has been impacted by this or that any information has been compromised

2. Earlier this week we added safeguards to protect against the theoretical vulnerabilities raised by Daniel Wood

3. Yesterday we released an update for the app that will add extra layers of protection, and are encouraging customers to download it as an additional safeguard

Evan Schuman: Starbucks caught storing mobile passwords in clear text
Related: Air Force Colonel: Starbucks Wi-Fi More Secure Than Pentagon Computers

* This post has been updated throughout.

Starbucks Mobile App Stored Users’ Passwords in Potentially Vulnerable