Starbucks iPhone app vulnerable, security specialist says

by Ángel González, Seattle Times

starbucks_ccThe mobile app is an increasingly important part of Starbucks’ strategy, accounting for 11 percent of U.S. transactions in the quarter that ended last September.

The Starbucks iPhone app stores customers’ personal data in unencrypted form that leaves it vulnerable to computer-savvy phone thieves, according to a cybersecurity expert whose discovery of the flaw was disclosed this week.

Daniel Wood, a Minneapolis-area computer-security specialist, said he was able to break into the app’s file containing his email address, user name and password. That’s the same file where credit-card information would go, which means it would be exposed if he had entered it, he said in an interview.

Wood on Monday posted his findings about the flaw on a computer-security site, with recommendations to Starbucks security experts on how to fix it.

The personal information was visible in plain text format and wasn’t hard to get to — making it easy prey for hackers with malicious intent who might get ahold of someone’s phone, he said. Wood also said he was able to see a log of information about user location.

“I drink a lot of Starbucks myself,” Wood said, adding that he first found the flaw last November, when tinkering with the application to see if it was secure before putting in his credit-card information.

The mobile app is an increasingly important part of Starbucks’ strategy. It accounted for 11 percent of U.S. transactions in the quarter that ended last September.

A Starbucks spokesman said the company was aware of the report but knew of no impact on customers.

Wood’s discovery, first reported by Computerworld on Wednesday, comes amid heightened concerns about identity theft and credit-card security. Last month criminals broke into Target’s computers, gaining access to credit and debit-card data belonging to tens of millions of people. Hackers also made out with names, mailing addresses and phone numbers for up to 70 million people, Target said last week.

This week, The Associated Press reported that Neiman Marcus was also the target of a cyber-heist.

The Seattle coffee giant has “taken steps to safeguard customers’ information and protect against the theoretical vulnerabilities raised in the report, but we are unable to discuss any of the details because we want to protect the integrity of our security measures,” spokesman Zack Hutson said in an email.

“We’re also looking at whether updating the app would add another layer of protection,” he said.

Wood said he only investigated the Starbucks app for Apple’s iOS. Starbucks said the flaw applied only to the iOS app and not to its Android equivalent.

In a message to store managers earlier this month, Chief Executive Howard Schultz said the company’s investments in digital and mobile payment expertise have positioned Starbucks to benefit from consumers’ growing use of online and mobile devices.

Schultz said digital payments helped Starbucks “efficiently handle” more than $1.3 billion in total Starbucks card loads in the U.S. and Canada, a record figure.