Researchers earn $4k bug bounty after reporting a vulnerability in Starbucks database, meanwhile, the company patched the flaw in a day
Starbucks Corporation is an American multinational chain of coffeehouses and roastery reserves headquartered in Seattle, Washington. As the world’s largest coffeehouse chain, Starbucks is seen to be the main representation of the United States’ second wave of coffee culture.
A security researcher found that the database of the popular coffee store Starbucks has a major vulnerability that can affect millions of user records. According to the security researcher, Sam Curry, the database lasted a flaw in the backend web infrastructure potentially exposed the records of up to 100 million customers of the coffee chain.
However, the company patched the flaw within the day of discovery, the flaw could exploit user records including names, emails, phone numbers, and addresses. Curry got on the trail of the flaw after ordering a Starbucks gift card for a friend’s birthday. He noticed the request resulted in API calls that seemed “suspicious” because they returned data that appeared to be coming from another host.
Starbucks’ bug bounty program prompted Curry to dig deeper. His subsequent investigations revealed that endpoints under /bff/proxy/ on app.starbucks.com routed requests internally to retrieve and store data. Starbucks maintained a web application firewall (WAF), but Curry was able to circumvent this layer of security defense.
The term “bff” actually stands for “Backend for Frontend” and indicates that the application the user interacts with carries the request to another host for the actual logic or functionality.
The researcher, who was assisted in his research by fellow security researcher Justin Gardner and the use of Burp Intruder, discovered that one internal API had an exposed Microsoft Graph instance which could have allowed an attacker to exfiltrate nearly 100 million user records. Other internal endpoints would have likely granted the researchers access to and the ability to modify things like billing address, gift cards, rewards, and offers.
The Starbucks team worked very quickly through this issue and fixed it within a day
By adding the “$count” parameter from Microsoft Graph URL, the attackers could determine that the service had nearly 100 million records. An attacker could steal this data by adding parameters like “$skip” and “$count” to enumerate all user accounts.
The researcher who published a detailed technical write-up of his findings last week earned a $4,000 payout from Starbucks under its bug bounty program. For more news on tech and cybersecurity subscribe to our newsletter from here