Starbucks app leaves passwords unencrypted and users at risk

A security researcher identified a problem with the US version of the app - it's thought that the UK version suffers from a similar flaw

Update: Starbucks say they have since updated the app to offer "extra layers of protection", with a spokesperson for the company stating that "We have no indication that any customer has been impacted by this or that any information has been compromised."

A Starbucks app used for in-store payment may be vulnerable to hackers, according to new research by an American computer security specialist.

The Starbucks card mobile app, launched in 2009, allows users to pay for orders with their mobile devices via a Starbucks Card. To pay, users of the app just need to scan the app’s barcode.

Daniel Wood, an expert in computer security, published the results of his research this week. His findings revealed that the iOS app stored customer’s usernames, passwords, and email addresses in clear text.

This means that if a hacker connected a phone to a computer and viewed the crash log, they would be able to access your username and password. Daniel Wood, in an interview with Computerworld, said that the passcode lock on an iPhone would offer no protection as “You don’t need a user’s PIN in order to pull raw data off the phone”.

With access to the username and password, hackers would be able to charge purchases in Starbucks using the app until the pre-loaded amount of money ran out. However, it is possible for customers to activate a setting on the app that auto-replenishes their balance on the app. Hackers could consequently repeatedly withdraw funds from the user’s bank account to the app.

Thankfully, according to Starbuck’s Chief Digital Officer Adam Brotman who spoke to Computerworld, the coffee company sends a message to the user if there is a request for more money, thus alerting the customer.

The UK edition of the Starbucks app.

It has not yet been confirmed whether the UK app has the same security issue. However, Daniel Wood told The Independent that he believed the UK app would be affected by the same problem “if the application is the same and just using the GB localisation file”. 

He added: “Language localisation should not change app functionality. I have not attempted to access the UK App Store personally to test this, however, the app published dates are the same for the US and UK app so that leads me to believe they are the same version”.

A spokesperson for Starbucks told The Independent: “Our customers’ security is of the utmost importance to us, and we actively monitor for risks and vulnerabilities. While we are aware of this report, there is no known impact to our customers.”

“To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way.”

It is not yet known what changes Starbucks have made and it is believed that the app must be updated in order to remove the security flaw. The same version of the app that Daniel Wood tested, version 2.6.1, is version still listed as the most recent version available on the UK App store – and has not been updated since May 2013.

News
peopleHowards' Way actress, and former mistress of Jeffrey Archer, was 60
Sport
Romelu Lukaku puts pen to paper
sport
News
Robyn Lawley
people
Arts and Entertainment
Unhappy days: Resistance spy turned Nobel prize winner Samuel Beckett
books
PROMOTED VIDEO
Life and Style
ebookA wonderful selection of salads, starters and mains featuring venison, grouse and other game
News
people
Life and Style
Troy Baker and Ashley Johnson voice the show’s heroes
gamingOnce stilted and melodramatic, Hollywood is giving acting in video games a makeover
News
i100
Life and Style
Phones will be able to monitor your health, from blood pressure to heart rate, and even book a doctor’s appointment for you
techCould our smartphones soon be diagnosing diseases via Health Kit and Google Fit?
News
people
Extras
indybest
Travel
Ryan taming: the Celtic Tiger carrier has been trying to improve its image
travelRyanair has turned on the 'charm offensive' but can we learn to love the cut-price carrier again?
Sport
Usain Bolt confirms he will run in both the heats and the finals of the men's relay at the Commonwealth Games
commonwealth games
Life and Style
Slim pickings: Spanx premium denim collection
fashionBillionaire founder of Spanx launches range of jeans that offers 'thigh-trimming construction'
News
Sabina Altynbekova has said she wants to be famous for playing volleyball, not her looks
people
News
i100
Life and Style
tech'World's first man-made leaves' could use photosynthesis to help astronauts breathe
Independent
Travel Shop
the manor
Up to 70% off luxury travel
on city breaks Find out more
santorini
Up to 70% off luxury travel
on chic beach resorts Find out more
sardina foodie
Up to 70% off luxury travel
on country retreats Find out more
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    SAP Project Manager

    competitive: Progressive Recruitment: SAP PROJECT MANAGER - 3 MONTHS - BERKSHI...

    SAP Project Manager

    competitive: Progressive Recruitment: SAP PROJECT MANAGER - 3 MONTHS - BERKSHI...

    Microsoft Dynamics AX Functional Consultant

    £65000 - £75000 per annum + benefits: Progressive Recruitment: A rare opportun...

    Microsoft Dynamics AX Support Analyst

    £45000 - £50000 per annum + benefits: Progressive Recruitment: This is an exce...

    Day In a Page

    Save the tiger: The day America’s love of backyard tigers led to a horrific bloodbath

    The day America’s love of backyard tigers led to a horrific bloodbath

    With only six per cent of the US population of these amazing big cats held in zoos, the Zanesville incident in 2011 was inevitable
    Samuel Beckett's biographer reveals secrets of the writer's time as a French Resistance spy

    How Samuel Beckett became a French Resistance spy

    As this year's Samuel Beckett festival opens in Enniskillen, James Knowlson, recalls how the Irish writer risked his life for liberty and narrowly escaped capture by the Gestapo
    We will remember them: relatives still honour those who fought in the Great War

    We will remember them

    Relatives still honour those who fought in the Great War
    Star Wars Episode VII is being shot on film - and now Kodak is launching a last-ditch bid to keep celluloid alive

    Kodak's last-ditch bid to keep celluloid alive

    Director J J Abrams and a few digital refuseniks shoot movies on film. Simon Usborne wonders what the fuss is about
    Once stilted and melodramatic, Hollywood is giving acting in video games a makeover

    Acting in video games gets a makeover

    David Crookes meets two of the genre's most popular voices
    Could our smartphones soon be diagnosing diseases via Health Kit and Google Fit?

    Could smartphones soon be diagnosing diseases?

    Health Kit and Google Fit have been described as "the beginning of a health revolution"
    Ryanair has turned on the 'charm offensive' but can we learn to love the cut-price carrier again?

    Can we learn to love Ryanair again?

    Four recent travellers give their verdicts on the carrier's improved customer service
    Billionaire founder of Spanx launches range of jeans that offers

    Spanx launches range of jeans

    The jeans come in two styles, multiple cuts and three washes and will go on sale in the UK in October
    10 best over-ear headphones

    Aural pleasure: 10 best over-ear headphones

    Listen to your favourite tracks with this selection, offering everything from lambskin earmuffs to stainless steel
    Commonwealth Games 2014: David Millar ready to serve up gold for his beloved Scotland in the end

    Commonwealth Games

    David Millar ready to serve up gold for his beloved Scotland in the end
    UCI Mountain Bike World Cup 2014: Downhill all the way to the top for the Atherton siblings

    UCI Mountain Bike World Cup

    Downhill all the way to the top for the Atherton siblings
    Save the tiger: The animals bred for bones on China’s tiger farms

    The animals bred for bones on China’s tiger farms

    The big cats kept in captivity to perform for paying audiences and then, when dead, their bodies used to fortify wine
    A former custard factory, a Midlands bog and a Leeds cemetery all included in top 50 hidden spots in the UK

    A former custard factory, a Midlands bog and a Leeds cemetery

    Introducing the top 50 hidden spots in Britain
    Ebola epidemic: Plagued by fear

    Ebola epidemic: Plagued by fear

    How a disease that has claimed fewer than 2,000 victims in its history has earned a place in the darkest corner of the public's imagination
    Chris Pratt: From 'Parks and Recreation' to 'Guardians of the Galaxy'

    From 'Parks and Recreation' to 'Guardians of the Galaxy'

    He was homeless in Hawaii when he got his big break. Now the comic actor Chris Pratt is Hollywood's new favourite action star