3 flaws in StarBucks websites open its users to attacks

The Egyptian security researcher Mohamed M. Fouad has spotted three critical vulnerabilities in the StarBucks website that open users to cyber attacks.

If you are one of the millions StarBucks users don’t waste time and change your password as soon as possible. StarBucks users who have registered an account and linked their credit card to it are potentially vulnerable to cyber attacks.

The Egyptian security researcher Mohamed M. Fouad has spotted three critical vulnerabilities in the StarBucks website that could be exploited by attackers to take over the user’s account in just one click.

The vulnerabilities includes:

Remote Code Execution
Remote File Inclusion lead to Phishing Attacks
CSRF (Cross Site Request Forgery)

A Remote File Inclusion flaw can be exploited by an attacker to inject a file from any location into the target page that includes the source code for launch the attack by performing one of these actions:

Remote Code Execution on the company’s web server
Remote Code Execution on the client-side that could be exploited to launch a Cross-Site Scripting (XSS) attack.
Data theft or data manipulation via Phishing attacks in an attempt to hijack customers’ accounts containing credit cards details

CSRF or Cross-Site Request Forgery is an hacking technique method of attacking a website in which the attacker operates on behalf of a legitimate user. The attackers just need to get the target browser to make a request to the site on their behalf, possible attack scenarios are:

Convince users to click on their HTML page
Insert arbitrary HTML in a target site

Mohamed M. Fouad exploited the CSRF by tricking the victim into clicking a URL that changes user’s store account information including account password.

In this way the expert was able to hijack victims’ accounts, delete accounts or change victims’ email addresses.

Fouad has also provided the following video PoC:

Fouad ethically reported the critical flaws to StarBucks but he never received any reply from the company.

The expert also teported the flaws to the US-CERT, which confirmed the existence of the vulnerabilities.

StarBucks has fixed the vulnerabilities a couple of weeks ago, let’s hope the company will award Fouad under the bug bounty program recently launched.

It’s not the first time that I write about security vulnerabilities in StarBucks systems.

Early 2014, the security researcher Daniel E. Wood discovered a vulnerability in the Starbucks official iOS app related to the insecure storage of user data. 10 million Starbucks customers were at risk for the flaw in the official iOS app.

A few months later, Starbucks was targeted by scammers that were syphoning money from the credit or debit card linked to the customers’ Starbucks accounts.

Pierluigi Paganini

(Security Affairs – StarBucks, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.