Starbucks app leaves passwords unencrypted and users at risk
A security researcher identified a problem with the US version of the app - it's thought that the UK version suffers from a similar flaw
Thursday 16 January 2014
Update: Starbucks say they have since updated the app to offer "extra layers of protection", with a spokesperson for the company stating that "We have no indication that any customer has been impacted by this or that any information has been compromised."
A Starbucks app used for in-store payment may be vulnerable to hackers, according to new research by an American computer security specialist.
The Starbucks card mobile app, launched in 2009, allows users to pay for orders with their mobile devices via a Starbucks Card. To pay, users of the app just need to scan the app’s barcode.
Daniel Wood, an expert in computer security, published the results of his research this week. His findings revealed that the iOS app stored customer’s usernames, passwords, and email addresses in clear text.
This means that if a hacker connected a phone to a computer and viewed the crash log, they would be able to access your username and password. Daniel Wood, in an interview with Computerworld, said that the passcode lock on an iPhone would offer no protection as “You don’t need a user’s PIN in order to pull raw data off the phone”.
With access to the username and password, hackers would be able to charge purchases in Starbucks using the app until the pre-loaded amount of money ran out. However, it is possible for customers to activate a setting on the app that auto-replenishes their balance on the app. Hackers could consequently repeatedly withdraw funds from the user’s bank account to the app.
Thankfully, according to Starbuck’s Chief Digital Officer Adam Brotman who spoke to Computerworld, the coffee company sends a message to the user if there is a request for more money, thus alerting the customer.
The UK edition of the Starbucks app.
It has not yet been confirmed whether the UK app has the same security issue. However, Daniel Wood told The Independent that he believed the UK app would be affected by the same problem “if the application is the same and just using the GB localisation file”.
He added: “Language localisation should not change app functionality. I have not attempted to access the UK App Store personally to test this, however, the app published dates are the same for the US and UK app so that leads me to believe they are the same version”.
A spokesperson for Starbucks told The Independent: “Our customers’ security is of the utmost importance to us, and we actively monitor for risks and vulnerabilities. While we are aware of this report, there is no known impact to our customers.”
“To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way.”
It is not yet known what changes Starbucks have made and it is believed that the app must be updated in order to remove the security flaw. The same version of the app that Daniel Wood tested, version 2.6.1, is version still listed as the most recent version available on the UK App store – and has not been updated since May 2013.
Life & Style blogs
Alexander McQueen at auction: What makes a really great piece of fashion?
A bottle of wine a day is not bad for you and abstaining is worse than drinking, scientist claims
No female ejaculation, please, we’re British: a history of porn and censorship
Stressed nurses are 'forced to choose between health of patients and their own'
Pornhub: Kim Kardashian's sex tape is the most-watched porn video of all-time
Disgruntled RBS worker writes hilarious open letter to Russell Brand after anti-capitalist publicity stunt leaves him hungry
Nigel Farage's approval rating hits 'record low' as popularity suffers in wake of Ukip sex scandal
Nigel Farage defends Kerry Smith 'ch***y' comment: 'If you are going for a Chinese, what do you say you’re going for?'
Pakistan school attack live: Taliban kill at least 132 children in 'horrifying' massacre
Sony hack: Angelina Jolie branded 'seriously out of her mind' in further embarrassing leaked email saga
Panic Saturday: 13 million Britons spend £1.2bn – while 13 million others across the country live in poverty unable to afford food
- 1 Nigel Farage: Me vs Russell Brand on Question Time – he's got the chest hair but where are his ideas?
- 2 Harry Potter fans can apply to the Hogwarts-inspired College of Wizardry
- 3 Jessica Chambers: 19-year-old woman 'doused with lighter fluid and burned alive' in the US
- 4 Russell Brand calls Nigel Farage 'poundshop Enoch Powell' in BBC Question Time debate
- 5 Orange Wednesdays are no more
iJobs Gadgets & Tech
£50000 per annum + 26 days holiday,pension: Ashdown Group: A highly successful...
£30 per hour: Ashdown Group: An industry leading and well established business...
£20000 per annum: Ashdown Group: A highly reputable business is looking to rec...
£28000 per annum: Ashdown Group: A highly reputable business is looking to rec...