Flaws found on Starbucks website open users to cyber-attack

Three critical vulnerabilities have been discovered on the Starbucks website that leave users with a registered account and linked credit card open to the possibility of cyber-attacks.

Mohamed M Fouad, an Egyptian security researcher, found the three flaws: remote code execution; remote file inclusion lead to phishing attacks; CSRF (cross site request forgery).

Fouad exploited the CSRF by deceiving the victim into clicking a URL that changes user's store account information including the password for the account, allowing him to hijack victims' accounts, delete their accounts or change their email addresses. Fouad provided this video.

Fouad reported the flaws to Starbucks but never received a reply from the company. He also reported the vulnerabilities to the US-CERT, which confirmed that the flaws existed.

Starbucks fixed the vulnerabilities a few weeks ago.