Fresh off the press!
According to a new CNNMoney article
, a security researcher who, like many of us, also happens to be a Starbucks customer, discovered that the popular Starbucks app (available on iOS and Android) that let's users make Starbucks purchases right from their mobile devices, stores user info such as passwords and email addresses in plain text. That's a problem...
"That means a hacker could pick up a left-behind phone, plug it into a laptop and easily recover a Starbucks customer's password without even knowing the smartphone's PIN code...if a hacker does obtain the password, it would allow him or her access to money stored in the customer's Starbucks account. Customers could be at greater risk if they use the same password for other sites."
A spokeswoman for Starbucks acknowledged the vulnerability, but went onto say that 'the possibility of the vulnerability being exploited is "very far fetched"...Not quite. While it's true that the potential hacker would need to have access to the customer's phone, have a computer on hand, and know how to access the file to extract the info, that scenario isn't what we in the security industry would call far fetched.
On top of this, Starbucks didn't say whether the app has been updated to fix the vulnerability. Chances are, however, that it wasn't, considering the last update for the Apple version was in May 2013 and September 2013 for Android.
We'll be keeping an eye out for updates to this developing story. In the meantime, you can read the CNN article by clicking the aforementioned link.