Free Starbucks - not everyone's cup of tea

Being the bearer of bad news is no longer a death sentence, but companies rarely react well when told their security has been breached.

Russian security researcher Egor Homakov of Sakurity is reported to have identified a race condition vulnerability in the Starbucks website and used it to make two simultaneous US$5 transfers from one card to another, using two different browsers with different session cookies, which resulted in the recipient card having a US$15 balance. He then proved the transfer had taken place by using the US$5 and the US$15 cards to make a purchase at a downtown San Francisco Starbucks - and deposited US$10 from his credit card to avoid legal problems.

Homakov  emailed his findings to Starbucks on 23 Marchbut didn't get a reply until 29 April, and after a Starbucks official reportedly initially promised to pay a US$1,000 bug bounty reward, subsequent correspondence threatend legal action, claiming ‘fraud' and ‘malicious actions'. In his blog post, Homakov said, “After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days.” He then pointed out that he could have exploited the vulnerability to generate unlimited balances on Starbucks gift cards purchased around the world, and then sell them online for Bitcoin at a discount. Critics would counter that Homakov  did actually create a fraudulent balance (to the sum of US$1.70) without permission or invite, and thus overstepped the line of what is legally permissible for a security researcher.

Starbucks subsequently issued a statement that it has, “Safeguards in place to constantly monitor for fraudulent activity. After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication.”

Separately, there had been claims earlier this month – since discredited - that Starbucks' mobile application might have been hacked, and customers with Starbucks cards connected to their payment cards through the Starbucks mobile app said they had money stolen. Starbucks said that many users use the same username and password combination for multiple online services so credentials stolen elsewhere could be used to access Starbucks accounts.

Roy Tobin, Threat Researcher at Webroot commented in an email to SCMagazineUK.com: “Credentials leaked in previous cyber-attacks are likely to have been used to allow hackers to siphon off money from Starbucks' customers. The key security takeaway from this incident is the fact that as a company, your customers' security information often doesn't exist in a bubble. Passwords are frequently saved to browsers or documents, and are repeatedly reused by customers across separate online accounts. Consumers should take steps to regularly change their passwords and avoid using the same password across multiple online services.

Starbucks was also used as the supposed sender of a phishing email purporting to notify the recipient that their friend had placed an order for them.   Kaspersky Lab detected the attached file as Rootkit.Win32.Zbot.sapu – a modification of the spyware family Zbot (ZeuS). used to steal people's credentials.