Starbucks: We fixed app that left passwords vulnerable

  @gregorywallace January 17, 2014: 9:57 AM ET
starbucks iphone app

Starbucks said it has fixed its mobile app that had been saving customers' usernames, passwords and other personal information in plain text.


Starbucks said it has fixed its mobile app that left customers' passwords open to attack.

The hugely popular app, which allows Starbucks (SBUX, Fortune 500) customers to purchase drinks and food directly from their smartphones, had been saving customers' usernames, passwords and other personal information in plain text.

That meant a hacker could have picked up a left-behind phone, plugged it into a laptop and easily recovered a Starbucks customer's password without even knowing the smartphone's PIN code.

Starbucks acknowledged the vulnerability this week. It said that no customers had claimed to have been hacked as a result.

On Thursday night, Starbucks said it pushed out an updated version of its mobile app for iOS that "adds extra layers of protection." The Android app does not have the security flaw, the company said.

Related: Credit card hack a wakeup call for privacy

Exploiting the issue wouldn't have been easy. To access a customer's password, a hacker needed to be in possession of the phone, have a computer handy, and know how to access the file.

If a hacker did obtain the password, it would allow him access to money stored in the customer's Starbucks account. Customers could be at greater risk if they use the same password for other sites.

Related: You see a zip code, retailers see a goldmine

The issue was first exposed by security researcher Daniel Wood, a Starbucks customer who said he tested the app to see if his information was secure.

"The application is storing the users' information -- everything from your full name to your address to your username and password as well as your email address," he told CNNMoney earlier this week.

Wood disclosed the issue in an online posting after approaching the company in December without a response from technical teams. After the issue became public, he was contacted by Starbucks. On Tuesday, his post was reported by the technology site ComputerWorld. To top of page

Join the Conversation

Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer LIBOR Warning: Neither BBA Enterprises Limited, nor the BBA LIBOR Contributor Banks, nor Reuters, can be held liable for any irregularity or inaccuracy of BBA LIBOR. Disclaimer. Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.