A security researcher by the name of Egor Hamakov, part of the Sakurity security consultancy company, found a weakness known as a race condition within in the Starbucks website which is responsible for checking balances and transferring consumer funds to Starbucks gift cards. To test the exploit with a ‘live test, Hamakov purchased three $5 gift cards and transferred the balance of card A to card B twice, resulting in a total balance of $20 (instead of the starting balance of $15) and a net gain (through exploit) of $5. In theory, this exploit could be used to generate unlimited amounts of money.
Hamakov visited a San Francisco Starbucks to test the exploit and make sure that the cards actually held $20. Hamakov used his two gift cards to make a $16.70 purchase. After making the exploited purchase, he then loaded up the gift card with an additional $10 “to make sure the US justice system will not put us in jail over $1.70,” Hamakov wrote in a blog post. In covering the purchase, Hamakov not only tested that the exploit would work, but reimbursed Starbucks for the funds used to test the exploit, all with good intentions. After Hamakov went to report the bug to Starbucks, he was harassed rather than thanked. Hamakov wrote:
The hardest part – responsible disclosure. Support guy honestly answered there’s absolutely no way to get in touch with technical department and he’s sorry I feel this way. Emailing InformationSecurityServices@starbucks.com on March 23 was futile (and it only was answered on Apr 29). After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days.
The unpleasant part is a guy from Starbucks calling me with nothing like “thanks” but mentioning “fraud” and “malicious actions” instead. Sweet!
Hamakov had an earlier phone call with a Starbucks official that promised to pay a $1,000 bug bounty reward, but now he was being threatened rather than thanked. Things could have been handled better by both sides. Starbucks could have welcomed the free security audit, and Hamakov could have reported it without testing to see if the exploit worked. As a professional cracker, Hamakov knew better than to access someone’s computer network or accounts without explicit permission. Hamakov was not entitled to make the fraudulent purchase, Starbucks never asked him to. He probably would have been paid the $1,000 bug bounty had he just reported the vulnerability rather than taking it on himself to test the system without the direct permission of Starbucks. Nevertheless, Hamakov rallied supporters on Twitter which came to his aid defending his actions.
This situation could have been handled better by both parties, Hamakov could have reported the bug without testing it himself, and Starbucks could have been thankful rather than threaten Hamakov, due to the fact that he reimbursed Starbucks for the fraudulent gains on his gift cards.
Starbucks released the the following Statement:
Like all major retailers, Starbucks has safeguards in place to constantly monitor for fraudulent activity. After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication.
While we aren’t able to go into specifics about individual contacts, we have had strong success partnering with the research community and will continue to welcome engagements.
Current payment systems, especially gift card systems, have had many bugs which allow exploits or illicit gains. While Starbucks does not accept Bitcoin directly, Fold can be used to purchase Starbucks using cryptocurrency, in case you want to ditch the gift cards which bulk up your physical wallet.
Consolidation of physical gift cards into an electronic gift card will likely be a shift we will see in the coming years, however, gift cards still remain one of the most gifted presents, especially since they are essentially tokens that represent any item (within the price range) that we want them to be, and they make a perfect last minute gift. Gyft and Egifter have already made steps to improve the process of E-gift cards, and they offer a bonus on cryptocurrency purchases.
What do you think about Hamakov’s reporting of the Starbucks giftcard bug? Comment below!
Images via Pixabay and Starbucks.