January 17, 2014
In response to a recently disclosed vulnerability involving its customers' personal information, Starbucks has just released an important security patch to its official iOS app. According to Starbucks chief information officer Curt Garner:
As promised, we have released an updated version of Starbucks Mobile App for iOS which adds extra layers of protection. We encourage customers to download the update as an additional safeguard measure.The update's sole line of release notes in the App Store only mentions "additional performance enhancements and safeguards." Presumably, the added "safeguards" include a fix for the vulnerability in question. The vulnerability is rooted in an exploitation of the Starbucks mobile payment app's storage of usernames, email addresses, passwords, and location data in plain text. As a result, these types of information could be accessed through a third-party crash analysis tool by an intruder with physical access to a Starbucks app user's device. Starbucks yesterday admitted to the oversight, but assured customers that no data had been stolen and that an update to address the issue would be released. And that update is live as of a few moments ago. The new (and apparently more secure) version of the Starbucks app is available now in the App Store for free. The app is optimized for iPhone and iPod touch running iOS 5.0 or later.
Starbucks Coffee Company