/>
X

Remote code execution vulnerability uncovered in Starbucks mobile platform

The researcher’s report revealed multiple endpoints vulnerable to the same flaw.
charlie-osborne
Written by Charlie Osborne, Contributing Writer on

A potential remote code execution (RCE) bug has been patched in one of Starbucks' mobile domains. 

The US coffee giant runs a bug bounty platform on HackerOne. A new vulnerability report submitted by Kamil "ko2sec" Onur Özkaleli, first submitted on November 5 and made public on December 9, describes an RCE issue found on mobile.starbucks.com.sg, a platform for Singaporean users. 

See also: FireEye's bug bounty program goes public

According to the advisory, ko2sec discovered an .ashx endpoint on mobile.starbucks.com.sg that was intended for handling image files. However, the endpoint did not restrict file type uploads, which means that attackers abusing the issue could potentially upload malicious files and remotely execute arbitrary code. 

While the full bug bounty report has been restricted by Starbucks, it is noted that the bug bounty hunter's analysis of the issue revealed "additional endpoints on other out of scope domains that shared this vulnerability."

CNET: Hackers access documents related to authorized COVID-19 vaccines

A CVE has not been issued for the critical vulnerability but a severity score of 9.8 has been added to the report. 

Ko2sec was awarded $5,600 for his findings. 

The RCE is not the only submission the researcher has made to Starbucks. In October, Ko2sec described an account takeover exploit in the Starbucks Singapore website caused by open test environments. It was possible to target users by knowing their email address, view their personal information, and even use any credit loaded in their account wallets to make purchases. 

TechRepublic: Phishing emails: More than 25% of American workers fall for them

The bug bounty hunter received $6,000 for this previous report. 

To date, Starbucks has received 1068 vulnerability reports on HackerOne. The average bounty paid out for valid submissions is between $250 and $375, while critical bugs are worth $4000 - $6000. In total, the coffee chain has paid more than $640,000 to bug bounty hunters, with $20,000 cashed out in the past 90 days. 

ZDNet has reached out to Starbucks and will update when we hear back.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Related

Raspberry Pi: This 'much requested' feature just took a big step forwards
raspberry-pi-sales-jump-heres-why-the-ti-5ed5fa71a07d36782c1e10b3-1-jun-02-2020-7-10-50-poster.jpg

Raspberry Pi: This 'much requested' feature just took a big step forwards

Developer
How to recover deleted files in Windows 10 or 11
sample-image-16-9-red.jpg

How to recover deleted files in Windows 10 or 11

Windows
Feren OS is a Linux distribution that is as lovely as it is easy to use
The Feren OS desktop.

Feren OS is a Linux distribution that is as lovely as it is easy to use

Linux