Starbucks app leaves passwords vulnerable

January 16, 2014: 1:24 PM ET
starbucks passwords
Starbucks acknowledged its mobile app has a vulnerability that stores customer passwords without encryption.
NEW YORK (CNNMoney)

Starbucks' mobile app leaves customers' passwords open to attack, according to a research report.

The popular app, which allows Starbucks (SBUX) customers to purchase drinks and food directly from their smartphones, saves customers' usernames, passwords and other personal information in plain text. That means a hacker could pick up a left-behind phone, plug it into a laptop and easily recover a Starbucks customer's password without even knowing the smartphone's PIN code.

Starbucks spokeswoman Linda Mills acknowledged the vulnerability and said the possibility of the vulnerability being exploited is "very far fetched."

Mills and Jim Olson, another Starbucks spokesman, said no customers have claimed to have been hacked as a result.

"Obviously the security of our customers' information is of the utmost importance to Starbucks and we're monitoring for any risks and vulnerabilities," Olson said.

After CNNMoney and other outlets reported the issue, the company announced in a letter to customers it was "working to accelerate the deployment of an update for the app that will add extra layers of protection."

Curt Garner, Starbucks chief information officer, wrote in the online letter that "we expect this update to be ready soon." The app is available for Apple (AAPL) and Google (GOOG) Android devices.

Related: Credit card hack a wakeup call for privacy

On Wednesday, Olson stressed the company was "always evolving and enhancing our systems to ensure that our systems are secure."

Exploiting the issue wouldn't be easy. To access a customer's password, a hacker needs to be in possession of the phone, have a computer handy, and know how to access the file.

If a hacker does obtain the password, it would allow him or her access to money stored in the customer's Starbucks account. Customers could be at greater risk if they use the same password for other sites.

Related: You see a zip code, retailers see a goldmine

The issue was first exposed by security researcher Daniel Wood, a Starbucks customer who said he tested the app to see if his information was secure.

"The application is storing the users' information -- everything from your full name to your address to your username and password as well as your email address," he told CNNMoney.

Wood disclosed the issue in an online posting after approaching the company in December without a response from technical teams. After the issue became public, he was contacted by Starbucks. On Tuesday, his post was reported by the technology site ComputerWorld.

Olson said Starbucks had reached out to Wood regarding his report. The Starbucks apps are used by about 10 million customers, Olson said.


Search for Jobs