Hacker uses Starbucks INFINITE MONEY for free CHICKEN SANDWICH

Coffee king finds cheeky exploit a bitter taste

Sakurity hacker Egor Homakov has found a way to dupe Starbucks into loading free cash onto the "coffee" chain's payment cards.

Homakov says a race condition within Starbuck's card purchase system means money can be transferred between cards without it being deducted.

The bug hunter exploited the bug and tested it by purchasing food and drink at Starbucks.

He says he pulled off the hack which he first quietly reported to the coffee house by opening two browser windows and simultaneously moving US$5 from one account to another in both sessions.

"So the transfer of money from card one to card two is stateful: the first POST request saves these values in the session and the second POST actually transfers the money and clears the session," Homakov says.

"This makes the exploitation harder because the session gets destroyed right after first confirmation request and second one fails."

"But this 'protection' is still easy to bypass: just use same account from two different browsers (with different session cookies)."

Starbucks reciept image

Proof of purchase concept.

The result was that $10 was loaded onto the second account but only $5 was deducted.

Homakov tested that the cash transfer had actually occurred in a Starbucks cafe in San Francisco where he bought water, gum, and a chicken sandwich.

He added $10 onto the account to reimburse the coffee giant for the $1.70 stolen.

However Starbucks did not appreciate the exploitation nor the hacker's quiet disclosure despite closing the hole in about 10 days earlier this month.

"The unpleasant part is a guy from Starbucks calling me … mentioning 'fraud' and 'malicious actions' instead," Homakov says.

The push back is not unexpected since vulnerability tests conducted without explicit authorisation often irk organisations.

Security bods commenting on Reddit have debated Starbuck's response with most feeling that Homakov pushed the boundaries of acceptable white hat research through his cafe purchase.

The exploitation of discovered bugs is widely-considered bad practise and will usually result in the forfeiture of paid bounties, and occasionally in legal action.

Security professionals have long urged technology teams of all sizes to maintain a bug reporting security policy on their company websites, and assign an internal staff member to handle inquiries.

The New Zealand Internet Task Force offers a nice template for how to do this stuff right in its guidelines (PDF) on the handling of bug reports by researchers and organisations. ®

Similar topics

Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022