Hacking Starbucks’ App-uccino

  • By Paul Rubell
  • 16 Jan, 2014

UPDATE: ON JANUARY 16, 2014, THE SAME DAY THAT I PUBLISHED THIS BLOG, STARBUCKS ISSUED A SECURITY UPDATE TO ITS MOBILE APP TO CURE SOME OF THE DEFICIENCIES THAT I IDENTIFIED BELOW.

A major security flaw in the mobile Starbucks app is exposing more than 7 million customers to theft. Not just identity theft: directly stealing their money.

Before I begin my diatribe about security and privacy risks, I’ll confess: I am an avid Starbucks consumer. I really like its bold coffee; I meet people for social and business meetings in its cafes; I read and type there.

And I always pay for my coffee with my gold Starbucks card. (Why not? I earn points towards a free drink after every 15 purchases.)

I’ve always marvelled when other customers pay by allowing a Starbucks employee to scan their telephones. I never understood their reasoning, other than the “cool” factor.

First of all, it’s no more convenient to swipe a phone than to swipe a credit card.

Second, if “cool” and status are one’s goals, the gold card sends that message to anyone in sight, doesn’t it?

But most significantly, why would you want another person to scan the screen of your phone, using her employer’s scanning device? It’s one thing to use your phone to scan other objects (by using a bar-code scanning app or taking a photo, for example). But the converse seems foolhardy and risky: letting a 3rd party’s device view your own phone.

Somehow, that always seemed unwise to me. Not from a technological viewpoint, but merely common sense. Exposing your phone is exposing your private life. What is the Starbucks scanning machine reading? Just your credit information? Or your emails?

Certainly, you’ve told Starbucks your geolocation data merely by paying at a given store. (But you do that when you pay any merchant with a credit card, at Starbucks or anywhere else, since you are obviously at the physical brick-and-mortar store when you use your card.)

Now, let’s step aside from the illogic of using the Starbucks mobile app.

It contains a security flaw that puts you in harm’s way.

Most banking and payment apps that require the user to enter her username/password each time the app is used. Not so with the Starbucks app.

It’s so easy to use the app. Maybe that’s the temptation for customers to use it.

Once the app has been installed on a phone, it can be used whenever it’s opened, without the need to type a password. This is accomplished because the password is stored on the phone.

The password not stored in the app! It’s stored on the phone itself. And not only is it embedded in your phone’s file system: it’s not even encrypted. The password is visible in a clear text file that the app (and anyone else) can access.


This ease-of-use feature is also an ease-of-hacking feature. Daniel Wood identified and described this security bug.

The text file is readily available to anyone who gains access to your phone. The phone’s PIN does not even have to be entered or hacked, in order to read the text file that contains your Starbucks password.

Why does this matter?

Once your password is in the hands of a malevolent person, your cash balance in your Starbucks account can be stolen.

But that’s rarely a significant amount of money, usually only US $25 or less.

However, if you’ve set your app to reload your card automatically, the hacker can reload your account with larger sums of money, and then withdraw that additonal cash as well.

Worse still, most of us are sloppy with our password protection. Most of us use only 1 or 2 passwords for all of our accounts – for banking, for email, for Google/Youtube, for access to so many aspects of our digital lives.

So here’s the worst case scenario (and not far-fetched):

1. Your Starbucks password is hacked (easily).

2. Your Starbucks account is drained (easily).

3. Your credit card reloads your Starbucks account, and that is drained.

4. Your geolocation data becomes known.

5. The credit card you use to load your Starbucks account becomes known.

6. Mobile bank apps on your phone indicate the banks that you use.

7. If you use the same password for those banks that you use for your Starbucks account, it becomes easy to hack into your bank accounts and withdraw and borrow money.

8. If your Starbucks password is also used for your cloud-based email (Gmail, Yahoo, etc), then your business and personal conversations can be misappropriated.

9. If your Starbucks password is also used for your social media sites…….anything can happen.

Lessons learned:

1. Don’t store your passwords on your phone.
2. Don’t pay for coffee with a mobile app.

Your thoughts?

Cyberliability and Privacy Issues in the Food and Beverage Industry

By Paul Rubell November 2, 2018
Cyberliability and privacy are very important to the food, beverage and hospitality industries. Today the industry faces many 21st century risks. Paul Rubell addresses these risks.

Europe Can Regulate Your Company's Facebook Page

By Paul Rubell July 16, 2018
by Paul Rubell, Esq. Every company in the world that has a Facebook social media page may be subject to the European Union’s newly-enacted GDRP (General Data Protection Regulation) and the chokehold of EU law enforcement. Many businesses wrongly believe they are not collecting personal data via their Facebook pages but that is likely not […]

USA indicts the Chinese hacker who breached Anthem’s website

By Paul Rubell August 30, 2017
  by Paul Rubell, Esq. A 36-year old Chinese national from Shanghai has been indicted by a federal court in California for transmitting malicious software tools to companies located in the United States. Yu Pingan was arrested on August 27, 2017 when he arrived in the United States to attend a conference.  Pingan used the online pseudonym […]

Are violent selfies protected by the Constitution?

By Paul Rubell April 29, 2017
Taking videos is a form of expression that is guaranteed by the Bill of Rights. However, even free speech has constitutional limits. For instance, if you shout "fire" in a crowded theater, you can be arrested and the 1st Amendment will not protect you.

Not best practices: Apple’s iCloud is neither private nor secure

By Paul Rubell April 17, 2017
by Paul Rubell, Esq. Can your business survive a massive data breach? If your business stores, backs up or syncs its data to the cyber cloud, take note. Apple’s iCloud is currently the subject of ransomware. As you will read, the moral to this article is that confidential business data, trade secrets, customer lists and […]

Best practice to keep your trade secrets private: avoid Password Managers

By Paul Rubell April 17, 2017
by Paul Rubell, Esq. Information is the currency of 2017. For this reason it is mission-critical to keep data currency safe, secure and private. Just as gold bricks should be stored in a physical safe, data needs to be kept secret electronically. Passwords are the key to enter the digital vault. Strong passwords are designed […]

Twitter says hello to hacking; Users say goodbye to privacy

By Paul Rubell March 16, 2017
Enjoy my newest article. You can read more on my blog at paulrubellblog.wordpress.com.

Awaiting the President’s Cybersecurity Executive Order

By Paul Rubell March 13, 2017
by Paul Rubell, Esq. Witness today’s risks of cyber crime.  Hackers, bad actors and foreign governments have long had the ability to assault our Nation. Current events have opened citizens’ eyes to the reality of the cyber threat. It is remarkable how the public has either forgotten or turned a blind eye to well-known security […]

Net Neutrality is No More

By Paul Rubell March 3, 2017
By Paul Rubell, Esq. Internet users have been suddenly stripped of an important source of privacy protection.  On March 1, 2017, the Federal Trade Commission (FTC) and Federal Communications Commission (FCC) abruptly suspended the net neutrality rules that had been scheduled to go into effect on March 2nd.  Internet users in the United States have […]

Cross-Browser Tracking: It’s time to update your Privacy Policy!

By Paul Rubell February 16, 2017
by Paul Rubell, Esq. It is remarkable that many companies do not know the vastness of private information they obtain from their social media and website.  It is essential for every business to understand its legal responsibility to protect their customers’ personal information. OLD NEWS:  Web browsers can follow your voyage through the Internet. Firefox, Internet […]
More Posts