LIVE VIDEO: Live Newscast    Watch
 

Starbucks app leaves passwords vulnerable

5:25 PM, Jan 16, 2014   |    comments
  • Share
  • Print
  • - A A A +
(Photo: Eric Risberg AP)

 


 


New York (CNNMoney) -- Starbucks' mobile app leaves customers' passwords open to attack, according to a research report.

The popular app, which allows Starbucks customers to purchase drinks and food directly from their smartphones, saves customers' usernames, passwords and other personal information in plain text. That means a hacker could pick up a left-behind phone, plug it into a laptop and easily recover a Starbucks customer's password without even knowing the smartphone's PIN code.

Starbucks spokeswoman Linda Mills acknowledged the vulnerability and said the possibility of the vulnerability being exploited is "very far fetched."

Mills and Jim Olson, another Starbucks spokesman, said no customers have claimed to have been hacked as a result.

"Obviously the security of our customers' information is of the utmost importance to Starbucks and we're monitoring for any risks and vulnerabilities," Olson said.

After CNNMoney and other outlets reported the issue, the company announced in a letter to customers it was "working to accelerate the deployment of an update for the app that will add extra layers of protection."

Curt Garner, Starbucks chief information officer, wrote in the online letter that "we expect this update to be ready soon." The app is available for Apple and Google Android devices.

Related: Credit card hack a wakeup call for privacy

On Wednesday, Olson stressed the company was "always evolving and enhancing our systems to ensure that our systems are secure."

Exploiting the issue wouldn't be easy. To access a customer's password, a hacker needs to be in possession of the phone, have a computer handy, and know how to access the file.

If a hacker does obtain the password, it would allow him or her access to money stored in the customer's Starbucks account. Customers could be at greater risk if they use the same password for other sites.

Related: You see a zip code, retailers see a goldmine

The issue was first exposed by security researcher Daniel Wood, a Starbucks customer who said he tested the app to see if his information was secure.

"The application is storing the users' information -- everything from your full name to your address to your username and password as well as your email address," he told CNNMoney.

Wood disclosed the issue in an online posting after approaching the company in December without a response from technical teams. After the issue became public, he was contacted by Starbucks. On Tuesday, his post was reported by the technology site ComputerWorld.

Olson said Starbucks had reached out to Wood regarding his report. The Starbucks apps are used by about 10 million customers, Olson said.

You may also like... 

Weird Florida: A look back at some of the strangest stories of the year

Miracle Baby: Tampa toddler has 5-organ transplant

Broke Bad: Contest winner busted in synthetic drug ring

Here kitty, kitty: Lion escapes enclosure at Pasco sanctuary

Fake Cop: Man arrested 3 times for impersonating officer

Animal tragedy: Girl's miniature horse attacked by dogs

#ShortYellows: Florida quietly shortened yellow lights

Kittens shot: Officer shoots kittens in front of children

Popular photo galleries:

Faces of Meth: Devastating before and after photos of meth abusers

Trayvon Martin Shooting: Trayvon Martin crime scene photos and George Zimmerman injury photos 

Hooters Winners: Winners of the 2013 Hooters swimsuit pageant

Rejected: Funny Florida license plates rejected by the DMV***warning graphic***

Deadly sinkhole: Home collapses, man dies in giant sinkhole

Popular Databases:

Florida Sex Offenders: Look up sex offenders in any Florida neighborhood here

Restaurant Inspections: Look up inspection reports for any Florida restaurant here

Most Watched Videos