A security researcher said he found a way to generate unlimited amounts of money on Starbucks gift cards. The coffee company doesn’t seem to be pleased with the way the expert tested his findings.
Starbucks gift cards can be managed by creating an account on starbucks.com. Users can check their balances and transfer funds from one card to another using these accounts.
Russian researcher Egor Homakov of Sakurity identified a race condition vulnerability in the Starbucks website that allowed him to transfer a certain amount of money from one card to another twice by using two different browsers with different session cookies.
The expert acquired three $5 Starbucks gift cards to conduct tests. He exploited the security bug to make two simultaneous $5 transfers from one card to another, which resulted in the recipient card having a $15 balance.
To ensure that the money he obtained using the exploit was real, Homakov used the $5 and the $15 cards to make a purchase at Starbucks. The researcher then deposited $10 from his credit card to avoid legal problems.
Once he made sure that the exploit worked, Homakov attempted to report his findings to Starbucks by sending an email to informationSecurityServices (at) starbucks.com. He sent an email on March 23, but didn’t get a reply until April 29.
“After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days,” Homakov explained in a blog post.
Starbucks addressed the vulnerability, but the researcher says the company wasn’t too happy with the way he tested his findings.
“The unpleasant part is a guy from Starbucks calling me with nothing like ‘thanks’ but mentioning ‘fraud’ and ‘malicious actions’ instead. Sweet!” Homakov said.
According to the researcher, a malicious actor could have exploited the vulnerability to generate credit on Starbucks gift cards purchased around the world, and then sell them online for Bitcoin at a discount.
“It would easily make me a couple of millions of dollars unless Starbucks actually tracks gift card balances. I don’t know for sure, it’s just a wild guess that this bug could be pretty profitable,” Homakov explained.
Some agree with Homakov’s methods, arguing that he didn’t have malicious intentions and he didn’t cause any damage. Others, however, believe he could have reported his findings without actually using the illegally reloaded card.
The researcher claims he hasn’t violated any Starbucks policy and defended his actions by saying that the coffee giant might have attempted to downplay the seriousness of the issue if he had not demonstrated its impact.
Responsible disclosure controversy
The disclosure and live testing of security vulnerabilities has been a highly controversial topic over the past years. A perfect example is the case of Andrew Auernheimer, also known as “weev,” who was sentenced to prison for obtaining the details of 120,000 AT&T customers while trying to demonstrate the existence of a bug. Auernheimer was released in April 2014 after an appeals court overturned the conviction.
More recently, a researcher named Chris Roberts was questioned by the FBI after the posted a tweet about hacking an airplane. Roberts said he dedicated much of his time to improving aviation security, but authorities claim the researcher actually hijacked an aircraft mid-flight.
HackerOne’s Chief Policy Officer, Katie Moussouris, noted in a blog post last week that current legislation should be revised since it discourages security research by blurring the line between defense and crime.
“It is high time for security research to be protected under the law. The hackers with the skills to break into software and networks, who choose to come forward with their knowledge and share their findings, should be legally exempt from criminal prosecution under laws designed to punish crime,” said Moussouris.
Cybercriminals target Starbucks customers
News broke earlier this month that Starbucks’ mobile application might have been hacked. Many customers who had their Starbucks cards connected to their payment cards through the Starbucks mobile app complained that someone had stolen their money.
Starbucks denied being breached and pointed out that the fraudsters are likely counting on the fact that many users utilize the same username and password combination for multiple online services. The most likely scenario is that the attackers obtain the credentials through phishing attacks or by hacking other websites, and use the stolen data to access Starbucks accounts.
It’s likely that the fraudsters have stolen a lot of money from Starbucks customers since the auto-reload feature, which many people have enabled, ensures that gift cards are reloaded automatically with a certain amount of money when their balance reaches zero.