Hackerone vulnerability analysis: Starbucks privacy data leakage

*The related vulnerabilities involved in this article have been reported to the manufacturer and have been repaired. This article is for technical research and discussion only, and it is strictly forbidden to use it for illegal purposes. Otherwise, all consequences arising therefrom are borne by yourself.

Category: Tag:

Introduction
One dreary summer afternoon, Sam Curry tried Verizon Media’s vulnerability public test project for almost a day, but found nothing, so he decided to let it go first and do something else. Oh, by the way, my friend’s birthday is coming, go to Starbucks official website to buy a gift for her.

When visiting the Starbucks official website, Sam accidentally discovered a large number of API interactions. He couldn’t help but test it, and this test found a clue to the vulnerability. Under the API interface named /bff/proxy/ on the Starbucks official website, Sam first discovered that the path /bff/proxy/orchestra/get-user could return his registration information, and then Sam asked /bff/proxy/orchestra/get-user /../I did a dictionary enumeration, but reluctantly returned a 404 status. But this at least shows that it is feasible to interact with the server, and then only need to find the correct path.

Sam tries to find the path where the user enters the parameters, and gets:

/bff/proxy/stream/v1/me/streamItems/:streamItemId

Then I tested and found out:

/bff/proxy/stream/v1/users/me/streamItems/..\..\

The server’s response at this time is 403, and it is almost approaching. After adding 7 \..\. URL constructs that bypassed WAF, the server response became 400. In the end, with the cooperation of his friend Justin, Liu Yinhuaming revealed a path to access 99356059 customer records:

/bff/proxy/stream/v1/users/me/streamItems/web\..\.\..\.\..\.\..\.\..\.\..\.\search\v1\Accounts\

Nearly 100 million Starbucks customer information is so readily available!

The vulnerabilities were finally assessed and graded as high-risk and received a reward of $4000. For detailed vulnerability reports, please refer to Sam blog or HackerOne.

Vulnerability details:

Sam blog technical report: https://samcurry.net/hacking-starbucks/

Hackerone vulnerability report: https://hackerone.com/reports/876295

 

Reviews

There are no reviews yet.

Be the first to review “Hackerone vulnerability analysis: Starbucks privacy data leakage”

Your email address will not be published. Required fields are marked *