It was revealed today that the iOS app for coffee chain Starbucks has some lax security standards. According to Computerworld, Starbucks executives confirmed on Tuesday that the app stores usernames and passwords in unencrypted plaintext, making it relatively easy for someone else to get ahold of those login credentials. Good thing most people don't reuse passwords between different online accounts!
Two company executives told Computerworld that the vulnerability—which also includes geolocation data—was not news to them, and that they had known since last November. In a press release Thursday, the company said that they would update the app's security, while adding that there is not a single reported instance of the problem affecting anyone.
It's important to point out that the safety concerns in this particular situation still require a fair amount of jumping through hoops. For one thing, a hacker would need physical access to the phone in order to access the logs that store login credentials, and being able to access a Starbucks account would pretty much limit them to refilling any Starbucks gift card tied to the account—financial death by a thousand lattes. The danger is more that many people reuse passwords between services, and if the same credentials are tied to, let's say, a bank account, things get much hairier.
In the grand scheme of things, the vulnerability ranks pretty low. Tumblr encountered an almost identical situation last summer. In recent memory, Target's hack that compromised the information of 70 million customers still takes the cake, and that company is offering a free year of credit monitoring to their customers.
This article is from the archive of our partner The Wire.
We want to hear what you think about this article. Submit a letter to the editor or write to firstname.lastname@example.org.