starbucks
Photo by Ivana Di Carlo, via Flickr.

Update, Jan. 17: Starbucks has now issued the promised update to the app.

Starbucks says it will make further updates to its iOS app to address concerns raised by a security researcher about the way the app stores user names and passwords. The company issued an open letter to customers this morning, telling them that the company has already taken steps to protect their personal information, and saying that it will go further in a forthcoming update to the app.

Retail technology columnist Evan Schuman reported on the situation in Computerworld yesterday, citing the work of security researcher Daniel Wood. The problem, according to the Computerworld report, is that Starbucks is storing the user names and passwords in clear text on the device, in a way that can be accessed using the right tools when connected to a PC.

Here’s the full text of the letter issued by Starbucks this morning:

January 16, 2013

Dear Customer,

Your security is incredibly important to us. This week a research report identified theoretical vulnerabilities associated with the Starbucks Mobile App for iOS in the event a customer’s iPhone were to be physically stolen and hacked.

We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.

Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.

We appreciate your business and believe it is our job to earn your trust as a customer. We also know that constant vigilance is the best way to protect you and the information you share with us. If you think your information may have been compromised for any reason, please contact our Customer Care team at 1-800-23-LATTE or at www.starbucks.com/customer.

Sincerely,

Curt Garner

Starbucks chief information officer

Comments

  • http://www.christopherbudd.com Christopher Budd

    We learned the hard way at Microsoft many, many years ago to never talk about “theoretical” vulnerabilities. As soon as you do, a researcher will helpfully make them not theoretical any more.

    Anyway, it’s the the right term. The vulnerability is there. It’s not theoretical. What they really mean to say is that to their knowledge it’s not being actively exploited. But even there, you have to use caution: people who are actively exploiting vulnerabilities that aren’t known aren’t going to be very public about it: they have a vested interest in the holes staying open for as long as possible.

  • Matthew Reynolds

    Storing passwords in cleartext is not a theoretical vulnerability, it’s just lazy programming. Not checking your certs for SSL requests in financial apps is also a “theoretical” vulnerability. Keeping private information in plaintext in memory is also a “theoretical” vulnerabilty, but Target found that it was quite real

  • Guest

    Congrats to Starbucks for owning this story. The vuln wasn’t too severe — it depended on a man capturing my phone, which is unlikely — but I appreciate the added sec. It should noted that the phys cards, which most custs use, already use insec tech and nobody complained about them.

    I apologise for those who blew this out of proportion and I thank Starbucks for taking control.

  • LF

    I had my Starbucks card drained of it’s $ 375.00 balance and it took Starbucks almost 3 weeks to get back to me to say the funds were drawn off and onto an unregistered card and that Starbucks is not responsible.
    I say when I entrust my money into a corporations account, they are acting as a bank and holding my money ” in trust for ” my demand for usage. In case they are irresponsible and reckless, thus should be accountable for my loss. A bank would reimburse me if this occurred on their watch !

Job Listings on GeekWork