Remote code execution vulnerability uncovered in Starbucks mobile platform

The researcher’s report revealed multiple endpoints vulnerable to the same flaw.
Written by Charlie Osborne, Contributing Writer

A potential remote code execution (RCE) bug has been patched in one of Starbucks' mobile domains. 

The US coffee giant runs a bug bounty platform on HackerOne. A new vulnerability report submitted by Kamil "ko2sec" Onur Özkaleli, first submitted on November 5 and made public on December 9, describes an RCE issue found on mobile.starbucks.com.sg, a platform for Singaporean users. 

See also: FireEye's bug bounty program goes public

According to the advisory, ko2sec discovered an .ashx endpoint on mobile.starbucks.com.sg that was intended for handling image files. However, the endpoint did not restrict file type uploads, which means that attackers abusing the issue could potentially upload malicious files and remotely execute arbitrary code. 

While the full bug bounty report has been restricted by Starbucks, it is noted that the bug bounty hunter's analysis of the issue revealed "additional endpoints on other out of scope domains that shared this vulnerability."

CNET: Hackers access documents related to authorized COVID-19 vaccines

A CVE has not been issued for the critical vulnerability but a severity score of 9.8 has been added to the report. 

Ko2sec was awarded $5,600 for his findings. 

The RCE is not the only submission the researcher has made to Starbucks. In October, Ko2sec described an account takeover exploit in the Starbucks Singapore website caused by open test environments. It was possible to target users by knowing their email address, view their personal information, and even use any credit loaded in their account wallets to make purchases. 

TechRepublic: Phishing emails: More than 25% of American workers fall for them

The bug bounty hunter received $6,000 for this previous report. 

To date, Starbucks has received 1068 vulnerability reports on HackerOne. The average bounty paid out for valid submissions is between $250 and $375, while critical bugs are worth $4000 - $6000. In total, the coffee chain has paid more than $640,000 to bug bounty hunters, with $20,000 cashed out in the past 90 days. 

ZDNet has reached out to Starbucks and will update when we hear back.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards