Mohamed M. Fouad, an Egyptian security researcher, recently published a post on his blog that explains the severity of his discovery.
Motivated by the coffee company’s bug bounty program, Fouad examined Starbucks’ website code and found three vulnerabilities that, if exploited, could have allowed an attacker to change a user’s profile settings and email account, as well as steal their credit card details.
The first vulnerability was a remote code execution (RCE) bug, followed by a remote file inclusion flaw. This second hole could have allowed an attacker to perform RCE attacks on the Starbucks web server or on the client side, the latter of which could have been leveraged to execute cross-site scripting (XSS) attacks.
As The Hacker News reported, the second vulnerability could have also allowed attackers to stage phishing attacks in an attempt to siphon off customers’ credit card details.
Finally, Fouad found a cross-site request forgery (CSRF) vulnerability that an attacker could have exploited to convince victims to click on their HTML page or to inject HTML into a target website. This type of flaw allows attackers to go after users’ accounts, change their profile settings, and steal their payment information.
Below you can view a proof-of-concept video in which Fouad demonstrates how easy it is to exploiting the CSRF vulnerability:
The security researcher states that he discovered the vulnerabilities back on June 29, 2015 and reported the bugs to Starbucks the same day.
Despite contacting the coffee company twice more before August (once via email and once via Twitter), Fouad still has yet to hear from Starbucks.
Later in the summer, Fouad reached out to US-CERT, which on August 20, 2015 confirmed that Starbucks had indeed fixed the issues some ten days prior.
Starbucks’ bug bounty program is still in its infancy. In fact, it is only a couple of months old, having been introduced after it responded poorly to another researcher demonstrating how its gift cards could be exploited.
The coffee company now has the perfect opportunity to follow through with Fouad and demonstrate to the security community that it can act as a reliable partner when it comes to acknowledging the work of security researchers.
Should the coffee company not contact Fouad, however, it could send the message that its bug bounty program is hollow and that researchers who find bugs in the future should take (and possibly sell) their discoveries elsewhere.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.