Starbucks App Compromises User Security

PCMag.com

January 20, 2014

Starbucks released an updated version of its Starbucks Mobile App for iOS, with additional performance enhancements and safeguards, promising extended protection for mobile users. The update is available as a free download in the Apple iTunes Store.

The Starbucks mobile app offers a certain convenience when paying for your venti non-fat, no-foam, six-pump extra-hot chai tea latte. But turns out, it could also compromise your security.

According to a report by Computerworld, the massively popular international coffee chain has been storing user names, email addresses and passwords in clear text. Connecting a smartphone with the Starbucks app installed to a PC, the password is easily accessible, the site said.

A spokeswoman told PCMag that its customers' security is "of the utmost importance to us," and that the company actively monitors for risks and vulnerabilities.

"While we are aware of this report, there is no known impact to our customers," she said in a statement. "To further mitigate our customers' potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way."

Starbucks later released a letter to its customers, offering more details about customer information and the mobile app.

"We'd like to be clear: there is no indication that any customer has been impacted by this, or that any information has been compromised," chief information officer Curt Garner wrote in the post.

Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us."

Exactly what those measures are, however, cannot be shared by Starbucks, but the company promised they sufficiently address recent concerns.

"Out of an abundance of caution, we are also working to accelerate the deployment of an update for this app that will add extra layers of protection," Garner said, adding that the update should be ready "soon."

Available for iOS, Android, and BlackBerry since 2011, the application boasts the title of most used mobile payment app in the U.S., and provides Starbucks fans with a sort of digital gift card that can be reloaded and used at any of the chain's American locations.

Conveniently, customers must enter their password only once-when activating the app's payment options, and again when adding money to the saved card. Every transaction can then be made with a simple smartphone scan at the register, eliminating the hassle of searching for change or swiping of a credit card. But that convenience also has security risks, apparently.

According to Computerworld, security researcher Daniel Wood first discovered the password visibility late last year. After failed attempts at contacting Starbucks, Wood published his findings, along with a list of iOS-specific best practices for storing user data.

The Starbucks app version 2.6.1 launched in May for iOS, but has earned a measly 2.5-star rating, ironically gathering complaints about how the app fails to remember passwords or erases card and account information.

Copyright © LexisNexis, a division of Reed Elsevier Inc. All rights reserved.  
Terms and Conditions    Privacy Policy

Quality News Today is an ASQ member benefit offering quality related news
from around the world every business day.

ASQ is a global community of people passionate about quality, who use the tools, their ideas and expertise to make our world work better. ASQ: The Global Voice of Quality.