The Starbucks app for Android and iOS is vulnerable to hacking, according to security researcher Daniel Wood. The app apparently stores user information in unencrypted clear-text, which makes that information extremely easy to decipher if a hacker can get his or her hands on it. “Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at https://www.starbucks.com/account/signin,” writes Wood.
Still, the security flaw cannot be exploited unless someone has physical access to a victim’s phone. If a victim’s phone is stolen, the user information like name, address, email, and Starbucks password can easily be obtained. This is why it’s a good idea to enable Android Device Manager and Find My iPhone so you can remotely wipe your phone if it is lost or stolen.
Starbucks has responded and verified that the vulnerability exists but also notes that it is unlikely that a hacker will have physical access to a victim’s phone. The broader security issue is if a person uses the same password for other sites, especially for banking. To protect yourself from data breaches, it’s best to use a password manager to create and store different passwords for each site.
The recent data breach at Target and a string of high-profile hacks at companies like Adobe should be enough to pressure Starbucks into rewriting the app so that it doesn’t store user information in clear-text. Starbucks has not yet promised to fix the vulnerability, though it’s difficult to see why they wouldn’t.