Skip to main content
Advertising

Originally published January 15, 2014 at 4:48 PM | Page modified January 16, 2014 at 9:49 PM

  • Share:
             
  • Comments (2)
  • Print

Starbucks iPhone app vulnerable, security specialist says

The Starbucks iPhone app stores customers’ personal data in unencrypted form that leaves it vulnerable to computer-savvy phone thieves, according to a cybersecurity expert whose discovery of the flaw was disclosed this week.


Seattle Times business reporter

Most Popular Comments
Hide / Show comments
Security expert exposes flaw in Starbucks’ iPhone app It sends your NBA... MORE
You can mitigate this risk by using a *strong* password on your mobile device. That... MORE

advertising

The Starbucks iPhone app stores customers’ personal data in unencrypted form that leaves it vulnerable to computer-savvy phone thieves, according to a cybersecurity expert whose discovery of the flaw was disclosed this week.

Daniel Wood, a Minneapolis-area computer-security specialist, said he was able to break into the app’s file containing his email address, user name and password. That’s the same file where credit-card information would go, which means it would be exposed if he had entered it, he said in an interview.

Wood on Monday posted his findings about the flaw on a computer-security site, with recommendations to Starbucks security experts on how to fix it.

The personal information was visible in plain text format and wasn’t hard to get to — making it easy prey for hackers with malicious intent who might get ahold of someone’s phone, he said. Wood also said he was able to see a log of information about user location.

“I drink a lot of Starbucks myself,” Wood said, adding that he first found the flaw last November, when tinkering with the application to see if it was secure before putting in his credit-card information.

The mobile app is an increasingly important part of Starbucks’ strategy. It accounted for 11 percent of U.S. transactions in the quarter that ended last September.

A Starbucks spokesman said the company was aware of the report but knew of no impact on customers.

Wood’s discovery, first reported by Computerworld on Wednesday, comes amid heightened concerns about identity theft and credit-card security. Last month criminals broke into Target’s computers, gaining access to credit and debit-card data belonging to tens of millions of people. Hackers also made out with names, mailing addresses and phone numbers for up to 70 million people, Target said last week.

This week, The Associated Press reported that Neiman Marcus was also the target of a cyber-heist.

The Seattle coffee giant has “taken steps to safeguard customers’ information and protect against the theoretical vulnerabilities raised in the report, but we are unable to discuss any of the details because we want to protect the integrity of our security measures,” spokesman Zack Hutson said in an email.

“We’re also looking at whether updating the app would add another layer of protection,” he said.

Wood said he only investigated the Starbucks app for Apple’s iOS. Starbucks said the flaw applied only to the iOS app and not to its Android equivalent.

In a message to store managers earlier this month, Chief Executive Howard Schultz said the company’s investments in digital and mobile payment expertise have positioned Starbucks to benefit from consumers’ growing use of online and mobile devices.

Schultz said digital payments helped Starbucks “efficiently handle” more than $1.3 billion in total Starbucks card loads in the U.S. and Canada, a record figure.

Ángel González; 206-464-2250 or agonzalez@seattletimes.com. On Twitter: @gonzalezseattle



News where, when and how you want it

Email Icon

Free 4-week trial, then $99 a year.

Free 4-week trial, then $99 a year.

Unlimited seattletimes.com access. Try it now.

Advertising

Advertising


Advertising
The Seattle Times

The door is closed, but it's not locked.

Take a minute to subscribe and continue to enjoy The Seattle Times for as little as 99 cents a week.

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited seattletimes.com content access is included with most subscriptions.

Subscriber login ►