Starbucks Mobile Domain Vulnerable to Remote Code Execution

  • Multiple Starbucks domains were found to be vulnerable to RCE exploits that have been fixed now.
  • The finding came from the company’s HackerOne bug bounty program covering the Singapore platform.
  • The coffeehouse company hasn’t clarified if this flaw was under active exploitation or not.

The “” domain belonging to Starbucks Singapore was found to be vulnerable to remote code execution (RCE) by security researcher and bug bounty hunter Kamil Onur Özkaleli (ko2sec). The man discovered an .ashx endpoint on the mobile domain that would permit unrestricted file type uploads.

The most straight-forward target through this would be to trigger an RCE situation. This is a critical severity (9.8) vulnerability that was discovered and reported on November 5, 2020, and for which the researcher received a bounty payment of $5,600.

While the HackerOne program that was run by the American coffeehouse company concerned the particular domain, the same vulnerability was to be found on more domains of the same family. Thus, everything has been fixed now, and the problem is considered resolved, so the flaw could be publicly disclosed.

Starbucks has made no comments on the finding, and neither have they stated anything about the possibility of malicious actors engaging in exploiting the discovered flaw. The online platforms of Starbucks enable registered users to buy products online, so it holds their email addresses, processes payment information, etc. They even offer e-gift cards for purchase, the risks of which we recently analyzed.

Of course, the fact that Starbucks runs a HackerOne program is commendable and indicative of the fact that the coffee giant really cares about the privacy and security of its customers. So far, the company has received a whopping 1,068 vulnerability reports on the bug bounty platform, paying a total of $640,000 to the reporters.

Kamil Onur Özkaleli has found a total of three flaws in Starbucks Singapore, two of which critical. In July, he found a way to exploit an endpoint on an alternative site of the platform, copying a cookie value from one website to the other, and getting to see sensitive user information. This would open the way to password reset and the eventual account takeover. For this finding, ko2sec got a bounty of $6,000.

If there’s something to deduce from all this, maybe it would be that buying coffee in physical stores using cash would be the most secure and private way to do it.



Norway Publishes Intention to Fine Disqus €2.5 million

The data protection authority in Norway is readying to fine Disqus $3 million for GDPR violations.The commenting system is reportedly collecting user...

Leaky Peloton API Allowed Anyone to Access Private User Data

The Peloton app API allowed any user to access someone else’s data even if they were in “private” mode.Peloton failed to address...

The Conti Group Claims to Have Stolen the Data of ‘Mission Imprintables’ Clients

The Conti ransomware gang claims to have compromised ‘Mission Imprintables.’The actors are allegedly holding sensitive details on the platform’s clients, orders, and...