9fa86f8ebcb84a358f4740b5264a7015

Pay with Starbucks Mobile App? You May Be in Danger! (Updated 1/17/2014)

January 15, 2024         By: Kevin Xu

A security researcher has discovered a vulnerability in the Starbucks mobile app.

According to information security expert Daniel Wood, the Starbucks app actually saves its users’ account information including usernames, emails, and passwords on to the mobile device in plain text, and can be accessed with the proper tools.

The Starbucks app integrates Crashlytics, a crash logger that gives programmers a snapshot of the Starbucks mobile app if it goes haywire.

However, embedded in Crashlytics are the listed sensitive pieces of user information along with the saved locations (coordinates) of the user every time the app is prompted to find a Starbucks store. This could potentially be a huge vulnerability.

Realistically, an evildoer would have to physically access the device, most likely by theft, and then access the logs embedded in the Starbucks app. After which, they would be able to go on a wild and crazy coffee spending spree at Starbucks. Since paying by app at physical Starbucks locations requires only for the user to enter their password, the thief can easily wipe out Starbucks account balances. If the victim has set their accounts to automatically refill their balance, their losses may become much worse, though Starbucks says that this would likely trigger a fraud alert.

While a $30 spending spree on some brew and a lost device might not be a huge loss to some, this vulnerability in the Starbucks app might actually lead to compromised bank accounts or worse, since an estimated 61% of people reuse the same passwords over multiple accounts.

 

Update:

Starbucks has released an update late Thursday to fix the potential security vulnerabilities on its mobile app.

Curt Garner, Starbucks’ chief information officer in a statement said that the “theoretical vulnerabilities” were resolved. Starbucks has also added that the vulnerability was only present in the iPhone version of the mobile app, and Android phones remain unaffected.

Garner writes that although there is no evidence that anyone has been affected by the vulnerability, Starbucks customers who believe they have been compromised can contact the company directly for support.