If you are one of the millions StarBucks users don’t waste time and change your password as soon as possible. StarBucks users who have registered an account and linked their credit card to it are potentially vulnerable to cyber attacks.
The Egyptian security researcher Mohamed M. Fouad has spotted three critical vulnerabilities in the StarBucks website that could be exploited by attackers to take over the user’s account in just one click.
The vulnerabilities includes:
A Remote File Inclusion flaw can be exploited by an attacker to inject a file from any location into the target page that includes the source code for launch the attack by performing one of these actions:
CSRF or Cross-Site Request Forgery is an hacking technique method of attacking a website in which the attacker operates on behalf of a legitimate user. The attackers just need to get the target browser to make a request to the site on their behalf, possible attack scenarios are:
Mohamed M. Fouad exploited the CSRF by tricking the victim into clicking a URL that changes user’s store account information including account password.
In this way the expert was able to hijack victims’ accounts, delete accounts or change victims’ email addresses.
Fouad has also provided the following video PoC:
Fouad ethically reported the critical flaws to StarBucks but he never received any reply from the company.
The expert also teported the flaws to the US-CERT, which confirmed the existence of the vulnerabilities.
StarBucks has fixed the vulnerabilities a couple of weeks ago, let’s hope the company will award Fouad under the bug bounty program recently launched.
It’s not the first time that I write about security vulnerabilities in StarBucks systems.
Early 2014, the security researcher Daniel E. Wood discovered a vulnerability in the Starbucks official iOS app related to the insecure storage of user data. 10 million Starbucks customers were at risk for the flaw in the official iOS app.
A few months later, Starbucks was targeted by scammers that were syphoning money from the credit or debit card linked to the customers’ Starbucks accounts.
(Security Affairs – StarBucks, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.