Starbucks Mobile Domain Vulnerable to Remote Code Execution

  • Multiple Starbucks domains were found to be vulnerable to RCE exploits that have been fixed now.
  • The finding came from the company’s HackerOne bug bounty program covering the Singapore platform.
  • The coffeehouse company hasn’t clarified if this flaw was under active exploitation or not.

The “mobile.starbucks.com.sg” domain belonging to Starbucks Singapore was found to be vulnerable to remote code execution (RCE) by security researcher and bug bounty hunter Kamil Onur Özkaleli (ko2sec). The man discovered an .ashx endpoint on the mobile domain that would permit unrestricted file type uploads.

The most straight-forward target through this would be to trigger an RCE situation. This is a critical severity (9.8) vulnerability that was discovered and reported on November 5, 2020, and for which the researcher received a bounty payment of $5,600.

While the HackerOne program that was run by the American coffeehouse company concerned the particular domain, the same vulnerability was to be found on more domains of the same family. Thus, everything has been fixed now, and the problem is considered resolved, so the flaw could be publicly disclosed.

Starbucks has made no comments on the finding, and neither have they stated anything about the possibility of malicious actors engaging in exploiting the discovered flaw. The online platforms of Starbucks enable registered users to buy products online, so it holds their email addresses, processes payment information, etc. They even offer e-gift cards for purchase, the risks of which we recently analyzed.

Of course, the fact that Starbucks runs a HackerOne program is commendable and indicative of the fact that the coffee giant really cares about the privacy and security of its customers. So far, the company has received a whopping 1,068 vulnerability reports on the bug bounty platform, paying a total of $640,000 to the reporters.

Kamil Onur Özkaleli has found a total of three flaws in Starbucks Singapore, two of which critical. In July, he found a way to exploit an endpoint on an alternative site of the platform, copying a cookie value from one website to the other, and getting to see sensitive user information. This would open the way to password reset and the eventual account takeover. For this finding, ko2sec got a bounty of $6,000.

If there’s something to deduce from all this, maybe it would be that buying coffee in physical stores using cash would be the most secure and private way to do it.

REVIEW OVERVIEW

Latest

How to Change Discovery Plus Password Without Accessing Your Email Address?

Discovery Plus is the newest streaming service on the market today, and it is sadly missing some strong security features. Sadly, the...

How to Turn Discovery Plus Autoplay On/Off?

Discovery Plus has some really cool content, but there are features we've become accustomed to that are missing from the service, like...

How to Watch UFC 257: Poirier vs. McGregor 2 – Live Stream, Start Time, Fight Card, Betting Odds

We're finally getting a rematch between Dustin Poirier and Conor McGregor, a rematch in the making for over six years. UFC 257...