Starbucks app leaves passwords unencrypted and users at risk

A security researcher identified a problem with the US version of the app - it's thought that the UK version suffers from a similar flaw

Update: Starbucks say they have since updated the app to offer "extra layers of protection", with a spokesperson for the company stating that "We have no indication that any customer has been impacted by this or that any information has been compromised."

A Starbucks app used for in-store payment may be vulnerable to hackers, according to new research by an American computer security specialist.

The Starbucks card mobile app, launched in 2009, allows users to pay for orders with their mobile devices via a Starbucks Card. To pay, users of the app just need to scan the app’s barcode.

Daniel Wood, an expert in computer security, published the results of his research this week. His findings revealed that the iOS app stored customer’s usernames, passwords, and email addresses in clear text.

This means that if a hacker connected a phone to a computer and viewed the crash log, they would be able to access your username and password. Daniel Wood, in an interview with Computerworld, said that the passcode lock on an iPhone would offer no protection as “You don’t need a user’s PIN in order to pull raw data off the phone”.

With access to the username and password, hackers would be able to charge purchases in Starbucks using the app until the pre-loaded amount of money ran out. However, it is possible for customers to activate a setting on the app that auto-replenishes their balance on the app. Hackers could consequently repeatedly withdraw funds from the user’s bank account to the app.

Thankfully, according to Starbuck’s Chief Digital Officer Adam Brotman who spoke to Computerworld, the coffee company sends a message to the user if there is a request for more money, thus alerting the customer.

The UK edition of the Starbucks app.

It has not yet been confirmed whether the UK app has the same security issue. However, Daniel Wood told The Independent that he believed the UK app would be affected by the same problem “if the application is the same and just using the GB localisation file”. 

He added: “Language localisation should not change app functionality. I have not attempted to access the UK App Store personally to test this, however, the app published dates are the same for the US and UK app so that leads me to believe they are the same version”.

A spokesperson for Starbucks told The Independent: “Our customers’ security is of the utmost importance to us, and we actively monitor for risks and vulnerabilities. While we are aware of this report, there is no known impact to our customers.”

“To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way.”

It is not yet known what changes Starbucks have made and it is believed that the app must be updated in order to remove the security flaw. The same version of the app that Daniel Wood tested, version 2.6.1, is version still listed as the most recent version available on the UK App store – and has not been updated since May 2013.

Life and Style
ebookNow available in paperback
ebooks
ebookA delicious collection of 50 meaty main courses
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
SPONSORED FEATURES
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Recruitment Genius: Network Engineer

    £25000 - £30000 per annum: Recruitment Genius: Setup, configure, troubleshoot,...

    Ashdown Group: Reporting & Analytics Supervisor - Buckinghamshire - £36,000

    £34000 - £36000 per annum + benefits: Ashdown Group: Analytics & Reporting Tea...

    Ashdown Group: Product Manager - Lancashire - £34,000

    £30000 - £34000 per annum + excellent benefits: Ashdown Group: Product Manager...

    Ashdown Group: IT Manager - Surrey - £60,000

    £45000 - £60000 per annum + Benefits: Ashdown Group: Infrastructure Manager - ...

    Day In a Page

    The Silk Roads that trace civilisation: Long before the West rose to power, Asian pathways were connecting peoples and places

    The Silk Roads that trace civilisation

    Long before the West rose to power, Asian pathways were connecting peoples and places
    House of Lords: Outcry as donors, fixers and MPs caught up in expenses scandal are ennobled

    The honours that shame Britain

    Outcry as donors, fixers and MPs caught up in expenses scandal are ennobled
    When it comes to street harassment, we need to talk about race

    'When it comes to street harassment, we need to talk about race'

    Why are black men living the stereotypes and why are we letting them get away with it?
    International Tap Festival: Forget Fred Astaire and Ginger Rogers - this dancing is improvised, spontaneous and rhythmic

    International Tap Festival comes to the UK

    Forget Fred Astaire and Ginger Rogers - this dancing is improvised, spontaneous and rhythmic
    War with Isis: Is Turkey's buffer zone in Syria a matter of self-defence – or just anti-Kurd?

    Turkey's buffer zone in Syria: self-defence – or just anti-Kurd?

    Ankara accused of exacerbating racial division by allowing Turkmen minority to cross the border
    Doris Lessing: Acclaimed novelist was kept under MI5 observation for 18 years, newly released papers show

    'A subversive brothel keeper and Communist'

    Acclaimed novelist Doris Lessing was kept under MI5 observation for 18 years, newly released papers show
    Big Blue Live: BBC's Springwatch offshoot swaps back gardens for California's Monterey Bay

    BBC heads to the Californian coast

    The Big Blue Live crew is preparing for the first of three episodes on Sunday night, filming from boats, planes and an aquarium studio
    Austin Bidwell: The Victorian fraudster who shook the Bank of England with the most daring forgery the world had known

    Victorian fraudster who shook the Bank of England

    Conman Austin Bidwell. was a heartless cad who carried out the most daring forgery the world had known
    Car hacking scandal: Security designed to stop thieves hot-wiring almost every modern motor has been cracked

    Car hacking scandal

    Security designed to stop thieves hot-wiring almost every modern motor has been cracked
    10 best placemats

    Take your seat: 10 best placemats

    Protect your table and dine in style with a bold new accessory
    Ashes 2015: Alastair Cook not the only one to be caught in The Oval mindwarp

    Cook not the only one to be caught in The Oval mindwarp

    Aussie skipper Michael Clarke was lured into believing that what we witnessed at Edgbaston and Trent Bridge would continue in London, says Kevin Garside
    Can Rafael Benitez get the best out of Gareth Bale at Real Madrid?

    Can Benitez get the best out of Bale?

    Back at the club he watched as a boy, the pressure is on Benitez to find a winning blend from Real's multiple talents. As La Liga begins, Pete Jenson asks if it will be enough to stop Barcelona
    Athletics World Championships 2015: Beijing witnesses new stage in the Jessica Ennis-Hill and Katarina Johnson-Thompson heptathlon rivalry

    Beijing witnesses new stage in the Jess and Kat rivalry

    The last time the two British heptathletes competed, Ennis-Hill was on the way to Olympic gold and Johnson-Thompson was just a promising teenager. But a lot has happened in the following three years
    Jeremy Corbyn: Joining a shrewd operator desperate for power as he visits the North East

    Jeremy Corbyn interview: A shrewd operator desperate for power

    His radical anti-austerity agenda has caught the imagination of the left and politically disaffected and set a staid Labour leadership election alight
    Isis executes Palmyra antiquities chief: Defender of ancient city's past was killed for protecting its future

    Isis executes Palmyra antiquities chief

    Robert Fisk on the defender of the ancient city's past who was killed for protecting its future