CREAM, SUGAR, AND SECURITY BUGS: ANOTHER STARBUCKS VULNERABILITY
Mohamed M. Fouad, a security researcher from Egypt, revealed several critical vulnerabilities in the Starbucks website this past week. As millions of Starbucks customers have accounts stored on the website and some include their credit card information in their profiles, the vulnerabilities had a chance to affect a large number of the coffee chain’s customers. Fouad became interested in analyzing the security parameters of Starbucks’ web properties after the chain recently joined a bug bounty program, advertising financial incentives for hackers and researchers to report security flaws to the company.
The security flaws Fouad found in the website include a Remote File Inclusion Vulnerability, which could allow an attacker to inject a file into a Starbucks’ web page from any location, exposing Starbucks customers to data theft as the inserted file would be loaded within the official Starbucks URL. If a cyber-criminal utilized the flaw, they could inject a fraudulent webpage into the legitimate Starbucks URL and capture customer account information to hijack their accounts or collect credit card details through a phishing attack. Furthermore, this vulnerability could accommodate remote code execution on the company’s web servers.
Additionally, Fouad discovered a Cross-Site Request Forgery vulnerability. This vulnerability could allow an attacker to trick users into clicking a link that could hijack their accounts, as the link could contain code that would change their account information including passwords.
Fouad reported the security vulnerabilities to Starbucks twice but did not receive a reply. He then reported them to US-CERT (United States Computer Emergency Readiness Team) who confirmed that the security flaws were addressed by Starbucks before he went public with his findings. As of this time, Fouad is still waiting for a response from Starbucks, including the details of his bug bounty reward.
The report of the security vulnerabilities follows previous stories about a Starbucks gift card flaw that allowed users to duplicate funds on their cards using the Starbucks site and a password vulnerability affecting the company’s popular mobile app.