Evan Schuman at Computerworld reported a pretty significant security oversight in the iOS Starbucks app Wednesday: The most used mobile-payment app in the United States was storing usernames, e-mail addresses, passwords and some geographic location data in cleartext on mobile phones. Essentially, that means that if someone has physical access to your phone, they could get access to the information by plugging it into a PC.
Starbucks has downplayed the issue, saying in an open letter today that "there is no indication that any customer has been impacted by this or that any information has been compromised." Although Starbucks said it has added new safeguards to protect the data, arguing that they "sufficiently address the concerns raised" by the research, the company would not share details about what those safeguards were.
When pressed over e-mail Wednesday about whether the problem identified by Computerworld was fixed, Starbucks spokesperson Maggie Jantzen said "a theoretical vulnerability still exists." After posting its open letter, Starbucks refused to confirm or deny whether the theoretical vulnerability still existed in a separate inquiry Thursday.
So if you use the mobile app, you might still want to be extra careful about leaving your phone unattended.
Despite its Wednesday admission, the open letter says Starbucks is working to "accelerate the deployment of an update for the app that will add extra layers of protection" only "out of an abundance of caution."
