Ever registered on StarBucks website? Change your passwords now!





If you are one of those Millions Starbucks customers who have registered their accounts and credit card details on StarBucks website, then your banking details are vulnerable to hackers.





Mohamed M. Fouad from Egypt, has found An Independent Security Researcher,from Egypt, has found three critical vulnerabilities on StarBucks website that could have allowed attackers to take over your account in just one click.

The vulnerabilities include:

Remote Code Execution

Remote File Inclusion lead to Phishing Attacks

lead to Phishing Attacks CSRF (Cross Site Request Forgery)





Stealing Credit Cards Details





In case of Remote File Inclusion flaw, an attacker can inject a file from any location into the target page, which includes as a source code for parsing and execution, allowing attacker to perform:

Remote Code Execution on the company's web server

on the company's web server Remote Code Execution on the client-side, potentially allowing attacker to perform other attacks such as Cross-Site Scripting (XSS)

(XSS) Data theft or data manipulation via Phishing attacks in an attempt to hijack customers' accounts containing credit cards details





Hijacking Starbucks Store Account Using CSRF





CSRF or Cross-Site Request Forgery is a method of attacking a website in which an intruder masquerades as a legitimate user. All attackers need to do is get the target browser to make a request to the site on their behalf, if they can either:

Convince users to click on their HTML page

Insert arbitrary HTML in a target site

In this case, an attacker can use CSRF to trick a victim into clicking a URL that changes user's store account information including account password.





This could allow the attacker to hijack victims' accounts, delete accounts or change victims' email addresses.





Video Demonstration





Fouad has also provided a video demonstration as a Proof of Concept to show the attack in work. You can watch the video given below:





In a white-hat style, Fouad reported the critical flaws to StarBucks twice but didn't get any reply from the team.





Fouad then reported the same flaws to US-CERT, which confirmed the vulnerabilities that were fixed by the StarBucks team nearly ten days ago.





However, Fouad is still waiting for the reply and his bug bounty from StarBucks team, as the company started the bug bounty program just two months ago.