Hacker exploits security flaw to credit unlimited Starbucks

And draws the fury of the Starbucks legal team.

Mar 1, 2020, 3:15 am*

Crime

 

Patrick Howell O'Neill

Thirsty? Why pay?

A clever security researcher—a hacker, when you’re not looking at business cards—figured out a way to generate an unlimited amount of money on Starbucks gift cards “to get life-time supply of coffee or steal a couple of $millions.”

“So I got an idea to buy 3 Starbucks cards $5 each,” Egor Homakov explained on his blog.

Usually, when hackers finds a big-time bug like this on a website, the company pays them a big reward for telling them quietly rather than using it maliciously.

Just last month, YouTube paid out $3,117.70 to a pair of hackers who helped them fix a bug allowing impersonation of any user.

This time around, Homakov said, Starbucks wasn’t so happy to be helped.

“The unpleasant part is a guy from Starbucks calling me with nothing like ‘thanks’ but mentioning ‘fraud’ and ‘malicious actions’ instead. Sweet!,” Homakov joked.

By exploiting a “race condition” bug on Starbucks.com, a common type of vulnerability for websites that handle money like Starbucks does, Homakov was able to change the way Starbucks.com handled transactions to end up with money from nowhere in his own account.

After getting $20 in free cash on his own account, he headed to a nearby Starbucks and bought himself lunch.

Given the less-than-positive reaction from Starbucks and an imperfect American justice system, it was no surprise when Homakov put $10 of his own real money on his Starbucks account to pay back for the sandwich just in case.

But next time someone finds a bug on Starbucks.com, don’t be too shocked if no one rushes to tell Starbucks. A quick tip to companies who hear from hackers: Pay them and shake their hand.

H/T SakurityPhoto via Elliott Brown/Flickr (CC BY 2.0)

Share this article
*First Published: May 21, 2015, 9:40 pm