Starbucks Fixes Security Flaw

A Starbucks mobile app used by more than 10 million consumers to purchase drinks and food directly from their smartphones is reportedly putting those customers at risk.

A security researcher named Daniel Wood tested the retailer’s app to see how easily a hacker could pick up a phone left behind by a customer, plug it into a laptop and recover the customer’s Starbucks password.

“There are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a user’s account on the malicious user’s own device or online,” Wood wrote in a post on Seclist.org.

Starbucks has acknowledged the vulnerability but insists no customers have claimed to being hacked. And while it called the scenario far-fetched, it reported that it has pushed out an updated version of the app with “extra layers of protection” that the company insists has no security flaw.

 “Obviously the security of our customers’ information is of the most importance to Starbucks and we’re monitoring for any risks and vulnerabilities,” the company said in a statement

To exploit the Starbucks app flaw, Wood says the hacker would need to somehow obtain the customer’s phone, an available computer, and know how to access the file. In other words, the hack is possible, but it's not so simple as sitting in front of a computer monitor.

Starbucks doesn’t believe its customers need to worry about getting hacked, but a successful hack would grant the hacker access to the customer’s money on the account. The hack could have worse implications if the customer uses the same password for Starbucks as they do with other sites and apps.