Tag Archives: Starbucks

AVG

No such thing as a free lunch, but there is ‘free coffee’ at Starbucks

Leave a comment

Have you added up your spending on Starbucks coffee lately?  If like me you grab a coffee five days a week at $3.65 then you have an annual bill of just under $1000. When I saw that a hacker had found a way to get unlimited free coffee it caught my interest, especially see that there have been a number of Starbucks related issues over the last 12 months.

Egor Homakov’s hack is more a logic mistake or bug than a hack, you can read his blog on how he did it in detail here. He started by purchasing three gift cards with a value of $5, the type anyone can purchase over the register.

Registering the cards online at starbucks.com then allows you to move money between cards and top them up as necessary. Homakov then started sending requests to move the cash between the cards using 2 different browsers at the same time. Doing this, he managed to break the logic and transfer the same $5 from card A to card B twice confusing the Starbucks system and gaining $5 in the process, thus making himself an extra $5.

This was possible thanks to what is known as a Race Condition in the way the transaction is processed.  It takes place in two steps, the request and the acknowledgement.

In theory, this exploit could be run indefinitely to generate an unlimited amount of funds on a gift card.

Homakov did not do this though, after gaining the extra cash he tested the cards in a store purchasing coffee and a sandwich at a total of $16.70, proving he had more than he started with but limiting the loss to Starbucks to just $1.70.

Receipt

Image courtesy of sakurity.com

As a responsible security expert he contacted Starbucks through their support system on March 23 and did not receive a response until April 29, and the bug has now been closed.

There seems to be a pattern of hacks and bugs at Starbucks, just a few weeks ago there was another issue with gift cards and the transfer of funds linked to bank account, see the analysis here. And last year there was an issue that passwords on the Starbucks app for iOS were being held in clear text, this one had a similar experience with Starbucks taking time to answer the disclosure from the expert, see the article here.

Starbucks mentioned the word ‘fraud’ when talking with Homakov rather than understanding that a responsible expert may have just saved them millions of pounds and saying thank you.

Personally I think he should be rewarded with at least a years free coffee, at $1000 it would seem a small price to pay.

You can follow me on Twitter @TonyatAVG

 

 

 

 

Avira

Unlimited Free Coffee at Starbucks? A Hacker Made It Happen

Leave a comment

Egor Homakov made it actually happen. In his blogpost he describes how he managed to find a way to generate an unlimited amount of money on Starbucks gift cards.

If you are like me the only thing you want to know now is “HOW?!” (and your second thought will probably be: I want this so bad!).  So let me curve your enthusiasm right now: Homakov of course did the right thing and reported the exploit to Starbucks.

Now back to topic! What the security expert did was to use a vulnerability called “race condition”. He bought three Starbucks card for $5 each and tried to use the vulnerability to transfer money between the cards without it being deduced.

“So the transfer of money from card1 to card2 is stateful: first request POST /step1?amount=1&from=wallet1&to=wallet2 saves these values in the session and the second POST/step2?confirm actually transfers the money and clears the session”, Homakov writes and continues: “After 5 failed attempts I was about to give up. Race condition is a kind of a vulnerability when you never know if the app is vulnerable, you just need to try some more. […]But yeah, the 6th request created two $5 transfers from wallet1 with 5 dollars balance. Now we have 2 cards with 15 and 5 (20 in total).”

The only thing left to do was to buy something with this money in order to deliver the  proof of concept. One chicken sandwich, a few bottles of water, and some gum later the new balance on his cards was $5.70.

Starbucks was pretty unhappy with the stunt despite Homakov adding the $10 to his account from his credit card and disclosing the bug immediately.  They might have been even unhappier though, if a lot of hungry and coffee addicted customers would have abused the system …

The post Unlimited Free Coffee at Starbucks? A Hacker Made It Happen appeared first on Avira Blog.

AVG

Hackers Using Starbucks Gift Cards to steal money

Leave a comment

Earlier in May, researcher Bob Sullivan reported that hackers were targeting Starbucks mobile users and using the Starbucks app to steal money through linked credit cards.

The Starbucks app links to a credit card so that the user can prepay for goods and purchase Starbucks gift cards for friends and family to spend in store.

Reports indicate that the gift cards are fundamental to the attacks.

After gaining access to the victim’s Starbucks account, attackers create a new gift card for the entire balance of the account and issue it to themselves. The problem is then compounded  as the Starbucks app automatically tops up the user’s balance when it gets low. This means that the attacker can then strike again.

Within a few minutes, attackers could potentially siphon hundreds of dollars through gift cards without even needing the victim’s credit card details.

In a recent blog post, Starbucks recently defended the security of their app and said that “News reports that the Starbucks mobile app has been hacked are false.”

Instead, they say that it is reusing login details from other sites that is putting customers at risk:

Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.

 

This isn’t the first time that the Starbucks app has come under fire, after last year it emerged that it stores users’ passwords on the device in plain text.

 

How to help protect yourself from attacks such as these:

Pick a strong, unique password

It goes without saying that this attack would not be possible if hackers were shut out of Starbucks accounts. Therefore, keeping a strong and unique password (one that is not used on any other site) is one of the most important things you can do to help protect yourself from an attack like this. For help creating a strong password, check out this simple guide.

 

Turn off or limit auto-top up

One of the things that makes this attack so dangerous is the fact that the damage can escalate rapidly thanks to the auto top-up functionality used by the Starbucks app (and many others like it).

While automatically replenishing your account balance can be an incredibly convenient thing, if you are concerned about attacks like these, disable or set a deposit limit on your auto top-up.

 

Regularly check your accounts

Just like with online banking fraud, one of the best ways to protect yourself or recover from attacks such as this is to stay vigilant. Regularly check your bank statements and online account histories for suspicious activity and do not hesitate to get in touch with your bank or retailer should something unexpected appear.

For Starbucks users, if you see any suspicious activity on your Starbucks Card or mobile app, please immediately notify Starbucks customer service at 1-800-STARBUC.