Starbucks has recently addressed a critical vulnerability affecting its mobile platform. The bug, upon exploitation, could severely threaten the platform security as it allowed code execution attacks.
Starbucks Mobile Platform Vulnerability
A security researcher Kamil “ko2sec” Onur Özkaleli discovered a critical security vulnerability in the Starbucks mobile platform.
In brief, the bug affected the Singapore domain of the coffee giant. Exploiting this bug could allow an adversary to execute codes via remote access on the target platform.
Specifically, the vulnerability resided in the file upload feature on the domain mobile.starbucks.com.sg. This feature generally allows uploading image files. However, it lacked a check on the type of file uploads. Hence, it became possible for an attacker to upload malicious files to the domain and execute malicious codes.
Upon discovering the bug, the researcher reached out to Starbucks via their HackerOne bug bounty program.
Describing the bug in the bug report, Starbucks stated,
ko2sec discovered an .ashx endpoint on mobile.starbucks.com.sg intended for image files permitted unrestricted file type uploads which could lead to a potential RCE.
They also elaborated that the same issue affected some out-of-scope domains as well.
ko2sec’s thorough analysis provided additional endpoints on other out of scope domains that shared this vulnerability.
$5600 Bounty Awarded
The researcher discovered this RCE vulnerability in November 2020, after which, he reported the bug to Starbucks.
After about a month, Starbucks disclosed the bug report whilst keeping the timelines and technical details private.
Nonetheless, what’s clear is that Starbucks has deemed it a critical severity vulnerability that attained a score of 9.8. Hence, for this bug, they have awarded a bounty of $5600 to the researcher. (Their maximum payout for a critical bug report is $6000.)
Before this one, the same researcher also discovered another critical IDOR flaw leading to account takeover. That time, the researcher won $6000 as a bounty.