Users of the Coles Credit Card app are being warned of a security vulnerability that could allow hackers to pinch their usernames and passwords.
The Android version of the smartphone app fails to properly validate cryptographic security certificates, according to the US-based Computer Emergency Response Team (CERT).
That leaves it open to so-called "man-in-the-middle" attacks, in which hackers can intercept data exchanged between the app and a remote server, endangering sensitive information.
The app, which is billed as "secure", allows Coles credit card users to access and manage their accounts via a username and password.
It was named as vulnerable along with some 350 others, including apps from Microsoft and eBay.
Researcher Will Dormann said CERT was in the process of notifying the owners of the affected apps.
But he said the company was not waiting the customary 45 days before making the information public.
"If an attacker is interested in performing man-in-the-middle attacks, they're already doing it," he said in a blog post.
"That cat is already out of the bag."
It's understood Coles has not been notified by CERT of the vulnerability, and the app remains available on the Google Play store as of Friday afternoon.
"Our credit card app has never experienced a security vulnerability," a Coles representative said.
"We have systems in place to immediately react to the ever-changing demands of the digital environment."
Coles has constant fraud monitoring in place and customers' money is covered by MasterCard's Zero Liability Guarantee.
Users can minimise their risk of being attacked by using trusted networks and avoiding public Wi-Fi networks.