10 million Starbucks customers at risk for official iOS app flaw

Security researcher Daniel E. Wood discovered a vulnerability in the Starbucks official iOS app related to the insecure storage of user data.

10 million Starbucks customers who purchases drinks and food using their Smartphones are exposed to serious risk of data breach.

This is yet another story in which a poor implementation of minimum security requirements could have an impact on the end user and it digital identity, just as happened in the Snapchat case.

The official Starbucks iOS app doesn’t encrypting user’s data, including your password. The Starbucks app is usable by the customers to pay products of the popular Coffee Company, and to perform usual operations available on a banking account such as control the balance, fund transfer and check transaction history.

The Security researcher Daniel E. Wood discovered the vulnerability (CVE-2014-0647) in STARTBUCKS v2.6.1. iOS application, he revealed that the app stores user’s credential details and GPS data in plain text in the following file:


Once know the location is quite easy for an attacker, that has physical access to the handset, to retrieve the user’s information accessing ‘session.clslog‘ file. The attacker once accessed with the file could gain access to the customer’s amount of money available on the Starbucks account.

As usual the hack could cause further problem to the clients of Starbucks that used the app if they share same credential on different web services, the recommendation for who made purchases is to change it immediately and adopting a different username and password for every service

If you are using your email password as the same Starbucks account password, please change it on first priority.Starbucks has promptly managed the incident, issuing an official statement to inform the clients and a successily providing an advisory to publicize the availability for an app update.

“UPDATE (January 16, 2014 09:00 PM P.S.T.): As promised, we have released an updated version of Starbucks Mobile App for iOS which adds extra layers of protection. We encourage customers to download the update as an additional safeguard measure. Read a letter from Curt Garner, Starbucks chief information officer, regarding customer information and Starbucks Mobile App for iOS”

The company remarked that there is no evidence that its customers have been impacted, but let me suggest you to follow the above suggestions.

“We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised.” the company is asking to its customers to report any suspicious activity or fraud occurred.

It’s time to consider seriously the security of mobile apps, such flaws represent a serious threat to a user’s security and privacy, the situation is particularly alarming for mobile banking, a sector considered privileged by cybercriminals.

Not different is the situation for use of mobile application in workspace, a growing number of application are developed also by enterprise for internal use, also in this case security is a must and could expose the company to risk of cyber attack.

Back to the Starbucks app …  also enjoy a cup of coffee could be dangerous, inNaples we say:
“Excuse me, coffee makes me nervous”

Pierluigi Paganini

(Security Affairs –  Starbucks, hacking)

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.