Remember when I told you all about how hackers have found a way to break into Starbucks gift cards without even knowing account numbers? It turns out, they can access the gift cards, take money off of them so the gift card balance reaches $0 and then access your bank account to reload your Starbucks card. Click here to read all about that incident.
This new twist reported over the weekend is the exact opposite - it could pay you! Ok, maybe not really pay you, but a security researcher found a flaw that let him put money on his Starbucks gift card ... money that appeared out of nowhere.
Security researcher Egor Homakov discovered a "race condition" bug inside Starbucks' payment system. The flaw allowed him to change the way money transactions are handled and made money appear from thin air. He explains the process in detail on his blog. Click here to check it out.
By exploiting a "race condition" bug on Starbucks.com, a common type of vulnerability for websites that handle money like Starbucks does, Homakov was able to change the way Starbucks.com handled transactions to end up with money from nowhere in his own account.
To test and see if this could actually be, he put $20 of the free money on two accounts, headed to the nearest Starbucks and bought himself lunch. Here's his reciept:
So after this free lunch, Homakov put his own hard-earned cash into the system, noting on his blog, "The concept is proven and now let’s deposit $10 from our credit card to make sure the US justice system will not put us in jail over $1.70."
But the hardest part of discovering this flaw was getting a hold of someone of someone who cares with Starbucks to report the problem. He noted and joked on his blog:
The hardest part - responsible disclosure. Support guy honestly answered there’s absolutely no way to get in touch with technical department and he’s sorry I feel this way. Emailing InformationSecurityServices@starbucks.com on March 23 was futile (and it only was answered on Apr 29). After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days.
The unpleasant part is a guy from Starbucks calling me with nothing like “thanks” but mentioning “fraud” and “malicious actions” instead. Sweet!
So what could I do to not feel like an idiot looking for troubles? I could create a simple bunch of fake gift cards bought around the world, silently generate credits on them and sell Starbucks credits online for Bitcoin with, say, 50% discount. It would easily make me a couple of millions of dollars unless Starbucks actually tracks gift card balances. I don’t know for sure, it’s just a wild guess that this bug could be pretty profitable.