The researcher’s report revealed multiple endpoints susceptible to an equivalent flaw.
A potential remote code execution (RCE) vulnerability has been found among Starbucks’ mobile domains.
The US leading coffee brand runs a bug bounty platform on HackerOne. A new vulnerability reported by Kamil “ko2sec” Onur Özkaleli, first submitted on November 5 and made public on
December 9, describes an RCE issue found on mobile.starbucks.com.sg, a platform for Singaporean users.
According to the advisory, ko2sec discovered an .ashx endpoint on mobile.starbucks.com.sg that is supposed to handle image files. However, the endpoint didn’t restrict file type uploads, which suggests that attackers abusing the difficulty could potentially upload malicious files and remotely execute arbitrary code.
While the full bug bounty report has been restricted by Starbucks due to some reasons, it is noted that the bug hunter’s analysis of the issue revealed “additional endpoints on other out of scope domains that shared this vulnerability.”
A CVE has not been issued till now for the critical vulnerability but a severity score of 9.8 has been listed in the report.
Ko2sec was awarded $5,600 for his findings.
The RCE isn’t the sole submission the researcher has made to Starbucks. In October, Ko2sec described an account takeover exploit within the Starbucks Singapore website caused by open test environments. It was possible to focus on users by knowing their email address, view their personal information, and even use any credit loaded in their account wallets to form purchases.
The bug bounty hunter received $6,000 for this previous report.
To the date, Starbucks has accommodated 1068 vulnerability reports on HackerOne. The average bounty payout for valid submissions ought to be around $250 and $375, while critical bugs worth of around $4000 – $6000. In total, the coffee chain has paid more than $640,000 to bug hunters, with $20,000 cashed out in the past 90 days.