Flaws found on Starbucks website open users to cyber-attack

News by Danielle Correa

Three critical vulnerabilities have been discovered on the Starbucks website.

Three critical vulnerabilities have been discovered on the Starbucks website that leave users with a registered account and linked credit card open to the possibility of cyber-attacks.

Mohamed M Fouad, an Egyptian security researcher, found the three flaws: remote code execution; remote file inclusion lead to phishing attacks; CSRF (cross site request forgery).

Fouad exploited the CSRF by deceiving the victim into clicking a URL that changes user's store account information including the password for the account, allowing him to hijack victims' accounts, delete their accounts or change their email addresses. Fouad provided this video.

Fouad reported the flaws to Starbucks but never received a reply from the company. He also reported the vulnerabilities to the US-CERT, which confirmed that the flaws existed.

Starbucks fixed the vulnerabilities a few weeks ago.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop