If you use Starbucks’ official iOS app, you should know that the company isn’t encrypting any of your information, including your password.
Security researcher Daniel Wood reportedly contacted Starbucks in November about a security flaw that allows hackers access to unencrypted user information through the app. After being ignored, Wood chose to publicly release the vulnerability today as a way of forcing Starbucks to take action.
Following the reveal, a Starbucks executive said that, “We are aware” of the problem and that security measures have been taken to ensure that “usernames and passwords are safe.” Although Starbucks said this, Wood claims that nothing has changed and that classified user credentials are still just as easily accessible in plain text.
The vulnerability, however, requires that the hacker have physical access to your phone. Seeing as how a thief that wanted free coffee could simply send a screenshot of your personal Starbucks barcode, the primary concern here would be if you share your Starbucks password across multiple accounts.
Hopefully users stir up enough of a ruckus that Starbucks will decide to start encrypting its user information, you know, like any normal massive company would.