ATLANTA -- Time to change another password: the Starbucks iPhone app reportedly stores usernames, passwords and email addresses in clear text.
According to a Computerworld report, the app is designed so users only have to enter their username and password once, for ease of use. But these credentials are then stored on the phone, without encryption.
Anyone looking to steal this information need only connect the phone running the app to a computer.
This vulnerability could be very damaging, to both Starbucks and its users — the app is the most popular mobile payment program in the U.S., responsible for some 11 percent of Starbucks' transactions last quarter. (Via YouTube / Bank2Book)
Security researcher Daniel Wood first discovered the issue in November and approached Starbucks about it. He later published his findings, after being repeatedly shuffled off to Starbucks' customer service. (Via Seclists.org)
In a statement to the Seattle Times, Starbucks said it has "taken steps to safeguard customers' information and protect against the theoretical vulnerabilities raised in the report," but declined to go into specifics.
Wood says that's not good enough. His initial report referenced app version 2.6.1 — the same version available for download from the App Store now.
He told The Verge it's still carrying the same plaintext credentials — and without an app update from Starbucks, that's not going to get fixed. "Anything they have done on their end won't matter as the vulnerability lies within the application on end user devices."