Directory traversal vulnerability exposed 100 million customer records

UPDATED A security flaw in Starbucks’ backend web infrastructure potentially exposed the records of up to 100 million customers of the coffee chain.

The vulnerability, which was identified by security researcher Sam Curry and resolved before it could be exploited, left user records including names, emails, phone numbers, and addresses at risk.

The problem stemmed from a directory traversal bug.

Curry got on the trail of the flaw after ordering a Starbucks gift card for a friend’s birthday.

He noticed the request resulted in API calls that seemed “suspicious” because they returned data that appeared to be coming from another host.

WAF bypass

Starbucks’ bug bounty program prompted Curry to dig deeper. His subsequent investigations revealed that endpoints under /bff/proxy/ on routed requests internally to retrieve and store data.

Furthermore, it was possible to traverse these API calls to hit URLs that ought to be inaccessible on the internal host.

Starbucks maintained a web application firewall (WAF), but Curry was able to circumvent this layer of security defense.

Read more of the latest bug bounty news

The researcher, who was assisted in his research by fellow security researcher Justin Gardner and the use of Burp Intruder, discovered that one internal API had an exposed Microsoft Graph instance which could have allowed an attacker to exfiltrate nearly 100 million user records.

The two researchers were able to confirm this issue by accessing their own data through a hack against Starbucks’ web infrastructure.

Other internal endpoints would have likely granted the researchers access to and the ability to modify things like billing address, gift cards, rewards, and offers.

Issues in this area, however, weren’t tested and therefore remain unconfirmed.

$4k bug bounty

Curry and Gardner reported their findings – along with evidence they were able access its contact database – to Starbucks on May 16.

“The Starbucks team worked very quickly through this issue and fixed it within a day,” Curry reports.

The researcher – who published a detailed technical write-up of his findings last week – earned a $4,000 payout from Starbucks under its bug bounty program.

Curry told The Daily Swig that the class of vulnerability suffered by Starbucks is “well known but under researched”. He said that he had previously found similar problems elsewhere adding that the impact from case to case varies.

Starbucks is yet to respond to a request for comment.

This story was updated to add comment from researcher Sam Curry.

RELATED School’s out: Meet the teen hackers swapping books for bugs