14
iamrp
5y

"One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users," according to the report of Bleeping Computer.

Vulnerability hunter Vinoth Kumar reported and later Starbucks responded it as "significant information disclosure" and qualified for a bug bounty. Along with identifying the GitHub repository and specifying the file hosting the API key, Kumar also provided proof-of-concept (PoC) code demonstrating what an attacker could do with the key. Apart from listing systems and users, adversaries could also take control of the Amazon Web Services (AWS) account, execute commands on systems and add or remove users with access to the internal systems.

The company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities.

Comments
  • 13
    cheap!
  • 10
    So cheap. The PR storm alone would have cost them SO MUCH MORE.
  • 16
    A similar thing happend here in Hungary some time ago, when a dude found a vulnerability in the local transit company's systems. He could have abused this to get free tickets and passes for his lifetime, but instead he reported it to the company.

    Instead of getting paid for it, he got sued and went to court. God, I love this country!
  • 1
    @OneOrZero Only in hungarian
    https://444.hu/2017/07/...
  • 2
    @OneOrZero found it in english (might not be 100% accurate)
    https://techcrunch.com/2017/07/...
  • 2
    4000$?
    That's a joke for complete server access. The guy could have sold that for literal millions.
Add Comment