Starbucks coffee purchase app insecure, admits firm

Researchers found the app can give hackers full access to your phone - and Starbucks admitted there are security flaws that need to be fixed.

It's only been in the digital age where buying a coffee could result in your account being completely cleaned out. 

Mobile technology is an incredible thing. Rapid access to information, social media networks, email, rapid communication . . . the list goes on as to what you can do thanks to smartphones, tablets and the Internet. I can't remember the last time I consulted a traditional A to Z on the road; instead, Google Maps gets me to where I need to be (although admittedly sometimes by very odd route choices). 

Thanks to the popularity of such technology, contactless payments and NFC technology have enjoyed rapid expansion and innovation. Mobile applications allow you to purchase items, from clothing to coffee -- but as convenient as this may be, often companies focus more to functionality and design than security.

It's no joke when a company's purchase apps are infiltrated by hackers. Not only can customer banking details, addresses and contact information be stolen, but a firm's reputation is damaged. 

Sadly for Starbucks, this happened.

The iOS app which allows coffee drinkers to purchase items from their smartphone is not only dreadfully insecure due to a lack of data encryption by Starbucks, but security researcher Daniel E. Wood found a vulnerability in the app that allows hackers to access money on customer accounts.

The vulnerability, CVE-2014-0647 in the v2.6.1 version of the mobile app can be exploited if a hacker has access to your smartphone. Once plugged into a PC, an infiltrator can access your credentials and GPS data in a plain text format on the file system.

In response to the vulnerability, Starbucks immediately jumped on the case, and released a statement saying:

"We take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report."

There is now an updated version of the application which has improved layers of security. However, the reactive rather than proactive behavior of firms which use these technologies simply isn't good enough -- as we see weekly (think Target) -- due to the rising rates of cybercrime.

Via: The Hacker News

This post was originally published on