updated 11:51 am EST, Thu January 16, 2014
Coffee vendor claims it has put 'security measures in place'
The official Starbucks iPhone app doesn't encrypt usernames, passwords, or location data, a security researcher has revealed. Daniel Wood says he published the information only after receiving no response from Starbucks. To see the personal data, a person needs to have physical access to an iPhone -- but the content is stored in plain text, and even lists location data in latitude and longitude.
Confronted with the issue by Computerworld, Starbucks says that it has "security measures in place now related to that." Wood tells The Verge, however, that those measures are irrelevant, since it's the app itself that needs to be secured.
The damage potential of the vulnerability is relatively limited, but could let someone stalk a victim, or buy things at Starbucks as long as the "auto-replenish" option is on for a person's funds. If they use the same password in other locations, it could be a way of hacking into those accounts.