- Multiple Starbucks domains were found to be vulnerable to RCE exploits that have been fixed now.
- The finding came from the company’s HackerOne bug bounty program covering the Singapore platform.
- The coffeehouse company hasn’t clarified if this flaw was under active exploitation or not.
The “mobile.starbucks.com.sg” domain belonging to Starbucks Singapore was found to be vulnerable to remote code execution (RCE) by security researcher and bug bounty hunter Kamil Onur Özkaleli (ko2sec). The man discovered an .ashx endpoint on the mobile domain that would permit unrestricted file type uploads.
The most straight-forward target through this would be to trigger an RCE situation. This is a critical severity (9.8) vulnerability that was discovered and reported on November 5, 2020, and for which the researcher received a bounty payment of $5,600.
While the HackerOne program that was run by the American coffeehouse company concerned the particular domain, the same vulnerability was to be found on more domains of the same family. Thus, everything has been fixed now, and the problem is considered resolved, so the flaw could be publicly disclosed.
Starbucks has made no comments on the finding, and neither have they stated anything about the possibility of malicious actors engaging in exploiting the discovered flaw. The online platforms of Starbucks enable registered users to buy products online, so it holds their email addresses, processes payment information, etc. They even offer e-gift cards for purchase, the risks of which we recently analyzed.
Of course, the fact that Starbucks runs a HackerOne program is commendable and indicative of the fact that the coffee giant really cares about the privacy and security of its customers. So far, the company has received a whopping 1,068 vulnerability reports on the bug bounty platform, paying a total of $640,000 to the reporters.
Kamil Onur Özkaleli has found a total of three flaws in Starbucks Singapore, two of which critical. In July, he found a way to exploit an endpoint on an alternative site of the platform, copying a cookie value from one website to the other, and getting to see sensitive user information. This would open the way to password reset and the eventual account takeover. For this finding, ko2sec got a bounty of $6,000.
If there’s something to deduce from all this, maybe it would be that buying coffee in physical stores using cash would be the most secure and private way to do it.