If you are one of those Millions Starbucks customers who have registered their accounts and credit card details on StarBucks website, then your banking details are vulnerable to hackers.
An Independent Security Researcher, Mohamed M. Fouad from Egypt, has found three critical vulnerabilities on StarBucks website that could have allowed attackers to take over your account in just one click.
The vulnerabilities include:
- Remote Code Execution
- Remote File Inclusion lead to Phishing Attacks
- CSRF (Cross Site Request Forgery)
Stealing Credit Cards Details
In case of Remote File Inclusion flaw, an attacker can inject a file from any location into the target page, which includes as a source code for parsing and execution, allowing attacker to perform:
- Remote Code Execution on the company's web server
- Remote Code Execution on the client-side, potentially allowing attacker to perform other attacks such as Cross-Site Scripting (XSS)
- Data theft or data manipulation via Phishing attacks in an attempt to hijack customers' accounts containing credit cards details
Hijacking Starbucks Store Account Using CSRF
CSRF or Cross-Site Request Forgery is a method of attacking a website in which an intruder masquerades as a legitimate user. All attackers need to do is get the target browser to make a request to the site on their behalf, if they can either:
- Convince users to click on their HTML page
- Insert arbitrary HTML in a target site
In this case, an attacker can use CSRF to trick a victim into clicking a URL that changes user's store account information including account password.
This could allow the attacker to hijack victims' accounts, delete accounts or change victims' email addresses.
Fouad has also provided a video demonstration as a Proof of Concept to show the attack in work. You can watch the video given below:
In a white-hat style, Fouad reported the critical flaws to StarBucks twice but didn't get any reply from the team.
Fouad then reported the same flaws to US-CERT, which confirmed the vulnerabilities that were fixed by the StarBucks team nearly ten days ago.
However, Fouad is still waiting for the reply and his bug bounty from StarBucks team, as the company started the bug bounty program just two months ago.