Starbucks stays schtum, after patching critical website vulnerabilities

Starbucks Starbucks has patched three critical vulnerabilities on its website, but it still hasn't respond to the security researcher who first found the bugs.

Mohamed M. Fouad, an Egyptian security researcher, recently published a post on his blog that explains the severity of his discovery.

Motivated by the coffee company's bug bounty program, Fouad examined Starbucks' website code and found three vulnerabilities that, if exploited, could have allowed an attacker to change a user's profile settings and email account, as well as steal their credit card details.

The first vulnerability was a remote code execution (RCE) bug, followed by a remote file inclusion flaw. This second hole could have allowed an attacker to perform RCE attacks on the Starbucks web server or on the client side, the latter of which could have been leveraged to execute cross-site scripting (XSS) attacks.

As The Hacker News reported, the second vulnerability could have also allowed attackers to stage phishing attacks in an attempt to siphon off customers' credit card details.

Finally, Fouad found a cross-site request forgery (CSRF) vulnerability that an attacker could have exploited to convince victims to click on their HTML page or to inject HTML into a target website. This type of flaw allows attackers to go after users' accounts, change their profile settings, and steal their payment information.

Below you can view a proof-of-concept video in which Fouad demonstrates how easy it is to exploiting the CSRF vulnerability:

The security researcher states that he discovered the vulnerabilities back on June 29, 2015 and reported the bugs to Starbucks the same day.

Despite contacting the coffee company twice more before August (once via email and once via Twitter), Fouad still has yet to hear from Starbucks.

Later in the summer, Fouad reached out to US-CERT, which on August 20, 2015 confirmed that Starbucks had indeed fixed the issues some ten days prior.

Starbucks' bug bounty program is still in its infancy. In fact, it is only a couple of months old, having been introduced after it responded poorly to another researcher demonstrating how its gift cards could be exploited.

The coffee company now has the perfect opportunity to follow through with Fouad and demonstrate to the security community that it can act as a reliable partner when it comes to acknowledging the work of security researchers.

Should the coffee company not contact Fouad, however, it could send the message that its bug bounty program is hollow and that researchers who find bugs in the future should take (and possibly sell) their discoveries elsewhere.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

4 Responses

  1. coyote

    September 22, 2015 at 8:08 pm #

    Not only three critical flaws but three common types of flaws. To think that Starbucks took as long as they did to fix it is bad enough; that they had all three in the first place is worse.

    "… is hollow and that researchers who find bugs in the future should take (and possibly sell) their discoveries elsewhere."

    It is a scary yet accurate possibility – I thought the same thing (public release in documentation but selling it is indeed common nowadays, and if you think on it, selling is just an extension of the former). But I'll add something. The bug bounty system itself has brought some of this to play but more than that it is the lack of concern that so many have when it comes to security (e.g. Starbucks). You can't really blame those who are ignored for doing something else about it. Well, you could but what else can they do besides hoping no one else with malicious intent finds it (and keeps it a secret)? Then there is the problem that is the black market – there is a lot of money to be made because people (and organisations including governments) are willing to buy exploits – including 0-days (governments buying these too). The entire situation is a real mess and the supposed responsible parties (i.e. state actors) make it much worse (and it is bad for anyone doing it but it says a lot more when a nation does it).

  2. Gary H.

    September 22, 2015 at 8:55 pm #

    I had to look up "schtum" (which I enjoyed doing, by the way).

  3. Gabor Szathmari

    September 23, 2015 at 8:02 am #

    Critical things for a successful bug bounty program are the ability to cut through red tape and great customer service. The former helps to get bug fixes done and be pushed into production in a timely manner. The latter ensures security researchers are treated well, so they continue coming back with their vulnerability reports. This contributes to the overall security of the company and ultimately helps protecting customer data.

    Starbucks is apparently able to execute bug fixes but have issues with handling external communication. Please hire someone with experience dealing with the public, or engage someone from PR to do the follow-ups.

  4. David L

    September 23, 2015 at 10:41 pm #

    Starbucks is a thief ! Plain and simple. They effectively stole the research and need to bbe called out for it! They pulled this on the last guy. And at the time,there was even another similar issue concurrent.

Leave a Reply