Starbucks app leaves passwords unencrypted and users at risk

A security researcher identified a problem with the US version of the app - it's thought that the UK version suffers from a similar flaw

Update: Starbucks say they have since updated the app to offer "extra layers of protection", with a spokesperson for the company stating that "We have no indication that any customer has been impacted by this or that any information has been compromised."

A Starbucks app used for in-store payment may be vulnerable to hackers, according to new research by an American computer security specialist.

The Starbucks card mobile app, launched in 2009, allows users to pay for orders with their mobile devices via a Starbucks Card. To pay, users of the app just need to scan the app’s barcode.

Daniel Wood, an expert in computer security, published the results of his research this week. His findings revealed that the iOS app stored customer’s usernames, passwords, and email addresses in clear text.

This means that if a hacker connected a phone to a computer and viewed the crash log, they would be able to access your username and password. Daniel Wood, in an interview with Computerworld, said that the passcode lock on an iPhone would offer no protection as “You don’t need a user’s PIN in order to pull raw data off the phone”.

With access to the username and password, hackers would be able to charge purchases in Starbucks using the app until the pre-loaded amount of money ran out. However, it is possible for customers to activate a setting on the app that auto-replenishes their balance on the app. Hackers could consequently repeatedly withdraw funds from the user’s bank account to the app.

Thankfully, according to Starbuck’s Chief Digital Officer Adam Brotman who spoke to Computerworld, the coffee company sends a message to the user if there is a request for more money, thus alerting the customer.

The UK edition of the Starbucks app.

It has not yet been confirmed whether the UK app has the same security issue. However, Daniel Wood told The Independent that he believed the UK app would be affected by the same problem “if the application is the same and just using the GB localisation file”. 

He added: “Language localisation should not change app functionality. I have not attempted to access the UK App Store personally to test this, however, the app published dates are the same for the US and UK app so that leads me to believe they are the same version”.

A spokesperson for Starbucks told The Independent: “Our customers’ security is of the utmost importance to us, and we actively monitor for risks and vulnerabilities. While we are aware of this report, there is no known impact to our customers.”

“To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way.”

It is not yet known what changes Starbucks have made and it is believed that the app must be updated in order to remove the security flaw. The same version of the app that Daniel Wood tested, version 2.6.1, is version still listed as the most recent version available on the UK App store – and has not been updated since May 2013.

ebooks
ebookA delicious collection of 50 meaty main courses
Life and Style
ebookNow available in paperback
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    SThree: Trainee Recruitment Consultant - Dublin

    £13676.46 - £16411.61 per annum + OTE: SThree: SThree Trainee Recruitment Cons...

    Ashdown Group: Database Analyst - Birmingham - £22,000 plus benefits

    £20000 - £22000 per annum + excellent benefits: Ashdown Group: Application Sup...

    SThree: Recruitment Resourcer

    £20000 - £25000 per annum + Uncapped Commission: SThree: Do you want to get in...

    SThree: Recruitment Consultant - IT

    £25000 - £30000 per annum + Uncapped Commission: SThree: Sthree are looking fo...

    Day In a Page

    General Election 2015: Ed Miliband's unlikely journey from hapless geek to heart-throb

    Miliband's unlikely journey from hapless geek to heart-throb

    He was meant to be Labour's biggest handicap - but has become almost an asset
    Amr Darrag: Ex-Muslim Brotherhood minister in exile still believes Egypt's military regime can be replaced with 'moderate' Islamic rule

    'This is the battle of young Egypt for the future of our country'

    Ex-Muslim Brotherhood minister Amr Darrag still believes the opposition can rid Egypt of its military regime and replace it with 'moderate' Islamic rule, he tells Robert Fisk
    Sarah Lucas is the perfect artist to represent Britain at the Venice Biennale

    Flesh in Venice

    Sarah Lucas has filled the British pavilion at the Venice Biennale with slinky cats and casts of her female friends' private parts. It makes you proud to be a woman, says Karen Wright
    11 best anti-ageing day creams

    11 best anti-ageing day creams

    Slow down the ageing process with one of these high-performance, hardworking anti-agers
    Fishing for votes with Nigel Farage: The Ukip leader shows how he can work an audience as he casts his line to the disaffected of Grimsby

    Fishing is on Nigel Farage's mind

    Ukip leader casts a line to the disaffected
    Who is bombing whom in the Middle East? It's amazing they don't all hit each other

    Who is bombing whom in the Middle East?

    Robert Fisk untangles the countries and factions
    China's influence on fashion: At the top of the game both creatively and commercially

    China's influence on fashion

    At the top of the game both creatively and commercially
    Lord O’Donnell: Former cabinet secretary on the election and life away from the levers of power

    The man known as GOD has a reputation for getting the job done

    Lord O'Donnell's three principles of rule
    Rainbow shades: It's all bright on the night

    Rainbow shades

    It's all bright on the night
    'It was first time I had ever tasted chocolate. I kept a piece, and when Amsterdam was liberated, I gave it to the first Allied soldier I saw'

    Bread from heaven

    Dutch survivors thank RAF for World War II drop that saved millions
    Britain will be 'run for the wealthy and powerful' if Tories retain power - Labour

    How 'the Axe' helped Labour

    UK will be 'run for the wealthy and powerful' if Tories retain power
    Rare and exclusive video shows the horrific price paid by activists for challenging the rule of jihadist extremists in Syria

    The price to be paid for challenging the rule of extremists

    A revolution now 'consuming its own children'
    Welcome to the world of Megagames

    Welcome to the world of Megagames

    300 players take part in Watch the Skies! board game in London
    'Nymphomaniac' actress reveals what it was really like to star in one of the most explicit films ever

    Charlotte Gainsbourg on 'Nymphomaniac'

    Starring in one of the most explicit films ever
    Robert Fisk in Abu Dhabi: The Emirates' out-of-sight migrant workers helping to build the dream projects of its rulers

    Robert Fisk in Abu Dhabi

    The Emirates' out-of-sight migrant workers helping to build the dream projects of its rulers