Recently, a researcher discovered a Starbucks API key exposed in a public GitHub repo. Had a hacker with malicious intent accessed the key, they may have been able to change authorized users and access internal data.
Starbucks Exposed API Key
Bug hunter Vinoth Kumar caught a vulnerability affecting Starbucks systems. Specifically, he found an exposed API key in a public GitHub repository that allowed access to Starbucks JumpCloud API.
JumpCloud is an Azure AD alternative Active Directory. It provides user management, cloud Lightweight Directory Access Protocol (LDAP) service, web app single sign-on (SSO) and more.
According to Kumar, anyone having the API key could gain access to the Starbucks systems’ internal data. As explained by the researcher, exploiting the bug could allow an attacker to,
-Execute commands on systems https://docs.jumpcloud.com/1.0/commands/create-a-command
-Add/Remove users which has access to internal systems
-AWS Account Takeover
Thus, it was a critical issue that required immediate attention from the vendors.
Starbucks Awarded $4000 Bounty
Kumar found the exposed API key in October 2019. He then went through a responsible disclosure to report the bug on HackerOne. A few days after his report, he noticed that the issue no more exists.
This issue seems to be fixed. The repo has been removed and the API key has been revoked.
Nonetheless, Starbucks continued working on the matter to ensure a working resolution of the flaw before declaring it fixed. Hence, they took more time and eventually acknowledged the solution in November 2019.
We have determined that this report demonstrates “significant information disclosure”… At this time, we are satisfied with the remediation of the issue and are ready to move to closure.
Apart from fixing the matter, they also awarded a $4000 bounty to Vinoth Kumar for reporting this flaw.
In December, HackerOne also awarded $20,000 to a bug hunter as bounty for reporting a bug in the platform. Exploiting the vulnerability could let an attacker gain access to private bug reports on HackerOne.