Starbucks said it has fixed the issue in the new version (2.6.2) of the iOS app and, according to Daniel Wood, the researcher that initially discovered the security flaw, the issue is now resolved.
The app does not longer store the Starbucks account password in plaintext (the password is now saved in Apple's encrypted keychain), and records only the coordinates of the last location where a customer has used their device.
"As such, I do not believe this file is a security concern as it does not aggregate geolocation data over time," he noted in an email sent to the Full Disclosure mailing list. "Your stored geolocation is overwritten each time and cannot be used to track your movement patterns over time."
He also added that the flaw was not as serious as media made it out to be.
"During the initial testing of the application, at no point was there credit card data contained within this file, only your Starbucks Card number and balance amount. At no point were Starbucks's data servers compromised, exposing their 10 million customers to the application as some reports have suggested. This was a local exploitable vulnerability on a users device, not a remotely exploitable vulnerability on their servers or any other type of remote code execution vulnerability."
As a side note: Wood says that he has been "in continuous communication with Starbucks" while the company was working on fixing the flaw. According to Evan Schuman, Wood has been temporarily retained by the company as a security consultant (albeit unpaid for the time being).
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.