Security Experts:

SQL Injection Vulnerability Exposed Starbucks Financial Records

A critical SQL injection vulnerability exposed nearly one million financial records stored in a Starbucks enterprise database, a researcher revealed this week.

Eugene Lim, aka spaceraccoon, earned $4,000 after reporting the flaw to Starbucks via the company’s bug bounty program on HackerOne. The security hole was identified on April 8 and it was patched within two days. The vulnerability report he submitted to HackerOne was made public on August 6.

It’s worth noting that $4,000 is the maximum amount of money Starbucks pays for critical vulnerabilities through its bug bounty program. The average bounty awarded by the coffee giant is $250 and the total amount paid out so far exceeds $400,000.

According to Lim, he started by checking the targeted endpoint for file upload vulnerabilities and then tested it for XXE flaws after noticing that it had been running the Microsoft Dynamics AX enterprise resource planning (ERP) platform.

After his attempts to launch XXE attacks failed, he decided to move on to other potential targets. Roughly a month later, he decided to revisit the endpoint and check for SQL injections, which he soon discovered.

“So I had an SQL injection - but what if the database was unused or negligible? I decided to test for three things: the type of data in the database, the amount of data, and the recency of data. However, I quickly met a roadblock: as an enterprise database, Microsoft Dynamics AX was massive: a quick check revealed that the database had thousands of tables. I had to find and focus on the main table, but where should I begin?” Lim wrote in his report to Starbucks.

He added, “Fortunately, Microsoft provides documentation online about Dynamics AX. After a bit of research, I found the default main table and the relevant columns. A few minutes later, the answers came in. There were almost a million entries up till the previous year that included real accounting information. Zaheck!! I immediately stopped testing and wrote my report.”

The researcher said the database stored accounting and other financial records, including tax, receipt and payroll data.

SQL injection vulnerability in Starbucks

Related: Google Increases Bug Bounty Program Rewards

Related: Two White Hats Earn Over $1 Million via Bug Bounty Programs

Related: Researcher Earns $10,000 for Another XSS Flaw in Yahoo Mail

Related: Instagram Account Takeover Vulnerability Earns Hacker $30,000

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.