Following a security researcher's report showing the Starbucks app for the iPhone stores customer user names and passwords in an unencrypted format, the company has responded with an app update that includes what it called new safeguards.
Starbucks app left user logins unprotected
The user name and password issue was revealed by Daniel Wood at the seclists.org website where he said,
There are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at [the Starbucks website].
The Starbucks app for the iPhone stores user's customer loyalty card information which also includes the balance still available for purchases, along with user account logins and location information. For anyone to access the information stored in the app, they'd need physical access to the victim's iPhone.
Assuming someone did get ahold of an iPhone with the Starbucks app installed, they could potentially buy their fill of lattés and chai drinks, and if the app is set to auto-reload from a credit card, they could spend up to the card's limit on drinks and food.
That shouldn't be an issue as of Friday, however, because Starbucks released version 2.6.1 of its iPhone app. The coffee giant hasn't said exactly what measures it has taken with the app update to secure customer information other than to say it includes "additional performance enhancements and safeguards.