Starbucks has promised to tighten security on its iOS app, which was revealed earlier this week to have a serious vulnerability that allows anyone in possession of the phone to collect the user's password and location history.
The Starbucks app, which lets the user order and pay for food and drinks at any of the coffee chain's many stores, was storing a wealth of confidential data in "clear text," meaning it was not encrypted or password-protected but simply written to a file. The technical details, published by security researcher Daniel Wood, are available here.
Furthermore, that file is not in a part of the phone behind the iPhone's built-in PIN lock: By plugging the phone into a computer and running a common piece of development software, a malicious actor would be able to get at the file in moments.
In addition to the user's email and Starbucks account details, the app stored a location history of every time the user searched for a nearby store.
By plugging in a stolen phone into their computer for just a few seconds, then, a hacker would be able to buy things at Starbucks on the user's dime until the cash allocated to the app ran out, though some automatically deduct from a linked credit card. And if the victim uses the same username, email or password anywhere else on the Internet, that account could also be compromised — though, strictly speaking, this would be the result of bad security practices by the user, not Starbucks.
The Android version of the app has not been tested for this issue.
Curt Garner, chief information officer at Starbucks, penned a post at the official Starbucks news feed downplaying the risk of the "theoretical vulnerabilities" but promising "out of an abundance of caution" to hurry with a security-related update.
Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc.
