In exchange for convenience, an earlier version of the app made an iPhone owner's Starbucks account information easily available to anyone who stole the phone.
Rest easy, Starbucks iOS mobile payment users: Download the company’s new app and your password and confidential account information will be safe.
Starbucks spokesperson Maggie Jantzen wrote in response to our earlier story about the security concerns that arose about the app. Jantzen tells us the company fixed the app, which previously had stored user names, passwords, GPS locations and other confidential customer information in an insecure clear text format.
Customers are urged to download the updated app for what Jantzen says is an “extra layer of protection.”
In addition, Jantzen directed us to an official Starbucks statement by the company’s chief information officer, Curt Garner, which says, in part:
1. We have no indication that any customer has been impacted by this or that any information has been compromised
2. Last week we added safeguards to protect against the theoretical vulnerabilities raised by [security researcher] Daniel Wood.
3. [We] released an update for the app that will add extra layers of protection, and are encouraging customers to download it as an additional safeguard.
The previous version of the app would allow anyone to plug the phone into a computer for just a few seconds and access sensitive information about the account holder and his or her location history, reports NBC News. The app would also have allowed unauthorized users to make purchases.
Wood, who originally uncovered the security misstep, tells Computerworld that the issues are resolved.
Computerworld also says:
It should be pointed out, though, that Wood is no longer the independent security researcher that he was two days ago, since Starbucks has now brought him on as a security consultant, along with the standard nondisclosure agreement. Wood said it is, at this time, an unpaid role.