Update: A Starbucks spokesperson told The Verge that a future update to the app will bring a new credential storage method that will no longer expose usernames and passwords as plain text. An earlier release from the company said that the new version would be ready "soon."
Security researcher Daniel Wood publicly disclosed the vulnerability, which would require an attacker to have physical access to the device, on Monday. Wood told Computerworld that he first contacted Starbucks to report the flaw last November and only went public after the company failed to act.
At issue is a log file generated by Twitter-owned crash reporting analytics firm Crashlytics. The log file, which Wood says can be retrieved from a user's handset even if the phone is locked with a PIN, contains unencrypted versions of the customer's username, email address, and password.
Starbucks executives, for their part, acknowledged the vulnerability and said that they have made changes to mitigate the danger.
"We were aware" of the problem, Starbucks' Chief Digital Officer Adam Brotman told Computerworld, before adding that the chain has "adequate security measures in place now" and that "usernames and passwords are safe." Following the statements, Wood reassessed the situation and found that the credentials were still freely available.
While this particular vulnerability is unlikely to cause widespread damage, the publication notes that it does provide an opportunity to remind the public of the dangers of reusing passwords across services. A targeted attack against an individual who uses the same password for both Starbucks and their online banking service, for instance, could yield a significant payday for the attacker and a financial headache for the victim.