If you are one of the millions StarBucks users don’t waste time and change your password as soon as possible. StarBucks users who have registered an account and linked their credit card to it are potentially vulnerable to cyber attacks.

The Egyptian security researcher Mohamed M. Fouad has spotted three critical vulnerabilities in the StarBucks website that could be exploited by attackers to take over the user’s account in just one click.

The vulnerabilities includes:

Remote Code Execution

Remote File Inclusion lead to Phishing Attacks

CSRF (Cross Site Request Forgery)

A Remote File Inclusion flaw can be exploited by an attacker to inject a file from any location into the target page that includes the source code for launch the attack by performing one of these actions:

Remote Code Execution on the company’s web server

Remote Code Execution on the client-side that could be exploited to launch a Cross-Site Scripting (XSS) attack.

Data theft or data manipulation via Phishing attacks in an attempt to hijack customers’ accounts containing credit cards details

CSRF or Cross-Site Request Forgery is an hacking technique method of attacking a website in which the attacker operates on behalf of a legitimate user. The attackers just need to get the target browser to make a request to the site on their behalf, possible attack scenarios are:

Convince users to click on their HTML page

Insert arbitrary HTML in a target site

Mohamed M. Fouad exploited the CSRF by tricking the victim into clicking a URL that changes user’s store account information including account password.

In this way the expert was able to hijack victims’ accounts, delete accounts or change victims’ email addresses.

Fouad has also provided the following video PoC:

Fouad ethically reported the critical flaws to StarBucks but he never received any reply from the company.

The expert also teported the flaws to the US-CERT, which confirmed the existence of the vulnerabilities.

StarBucks has fixed the vulnerabilities a couple of weeks ago, let’s hope the company will award Fouad under the bug bounty program recently launched.

It’s not the first time that I write about security vulnerabilities in StarBucks systems.

Early 2014, the security researcher Daniel E. Wood discovered a vulnerability in the Starbucks official iOS app related to the insecure storage of user data. 10 million Starbucks customers were at risk for the flaw in the official iOS app.

A few months later, Starbucks was targeted by scammers that were syphoning money from the credit or debit card linked to the customers’ Starbucks accounts.

Pierluigi Paganini

(Security Affairs – StarBucks, hacking)