Update: On Thursday evening, Starbucks updated its mobile apps in response to the publicity surrounding the vulnerability and told CNN that the bug is now fixed. Starbucks has also issued a full statement on its website. Carry on, coffee drinkers.
The Starbucks mobile app, which is used by more than 10 million Starbucks customers to purchase drinks and food directly from their smartphones, is reportedly compromised, according to security researcher Daniel Wood.
In a post to Seclist.org, Wood, a Starbucks customer who said he was concerned about the security of his data, tested the coffee maker’s app to see how easily a hacker could pick up a phone left behind by a customer, plug it into a laptop and recover the customer’s Starbucks password.
“There are multiple instances of the storage of clear-text credentials that can be recovered an leveraged for unauthorized usage of a user’s account on the malicious user’s own device or online at https://www.starbucks.com/account/signin,” Wood wrote in his note, published on January 13th.
Starbucks has acknowledged the vulnerability since Wood’s report surfaced online, but Starbucks spokesperson Jim Olson said no customers have claimed they’ve been hacked.
“Obviously the security of our customers’ information is of the most importance to Starbucks and we’re monitoring for any risks and vulnerabilities,” Olson said.
Unsafe But Unlikely
According to a report by CNN, Starbucks spokeswoman Linda Mills called the likelihood of the vulnerability being exploited, “very far fetched.”
To exploit the Starbucks app flaw, Wood says the hacker would need to somehow obtain the customer’s phone, an available computer, and know how to access the file. In other words, the hack is possible, but it’s not so simple as sitting in front of a computer monitor.
Starbucks doesn’t believe its customers need to worry about getting hacked, but a successful hack would grant the hacker access to the customer’s money on the account. The hack could have worse implications if the customer uses the same password for Starbucks as they do with other sites and apps.
In his post exposing the vulnerability, Wood offers a handful of “best practices” for mobile users to mitigate, if not prevent, a user’s data from being lost to a malicious user. For instance, Wood recommends users never store credentials on the phone file system, and offers a few alternatives for storing and encrypting data.
“The application is storing the users’ information — everything from your full name to your address to your username and password as well as your email address,” Wood told CNN.
The Starbucks mobile app, which has been one of the most popular free apps in Google Play and the iOS App Store over the last several years, was last updated for iOS devices in May and Android devices in September. This security flaw, while difficult to exploit, should provoke Starbucks to reassess its own mobile security for its next round of app updates.
Starbucks has been seen as a leader in the burgeoning mobile payments realm. It is one of the few national retailers that has been able to consistently get their customers to pay at brick-and-mortar stores with their smartphones. But one of the many reasons that mobile payments haven’t taken off, as many predicted they would, is because consumers are not sure they can trust their smartphones to make a secure payment.
Trust is a huge factor for people when they are handing their money to someone else and to this point, Starbucks held its customers’ trust that their payment data was secure. While the hack detailed by Wood may seem unlikely, that doesn’t mean that Starbucks has a foolproof system. With consumers already wary of large retailers security of their credit and debit card information, the news that Starbucks is also vulnerable comes as more bad news for the mobile payments industry.