One dreary summer afternoon, Sam Curry tried Verizon Media’s vulnerability public test project for almost a day, but found nothing, so he decided to let it go first and do something else. Oh, by the way, my friend’s birthday is coming, go to Starbucks official website to buy a gift for her.
When visiting the Starbucks official website, Sam accidentally discovered a large number of API interactions. He couldn’t help but test it, and this test found a clue to the vulnerability. Under the API interface named /bff/proxy/ on the Starbucks official website, Sam first discovered that the path /bff/proxy/orchestra/get-user could return his registration information, and then Sam asked /bff/proxy/orchestra/get-user /../I did a dictionary enumeration, but reluctantly returned a 404 status. But this at least shows that it is feasible to interact with the server, and then only need to find the correct path.
Sam tries to find the path where the user enters the parameters, and gets:
Then I tested and found out:
The server’s response at this time is 403, and it is almost approaching. After adding 7 \..\. URL constructs that bypassed WAF, the server response became 400. In the end, with the cooperation of his friend Justin, Liu Yinhuaming revealed a path to access 99356059 customer records:
Nearly 100 million Starbucks customer information is so readily available!
The vulnerabilities were finally assessed and graded as high-risk and received a reward of $4000. For detailed vulnerability reports, please refer to Sam blog or HackerOne.
Sam blog technical report: https://samcurry.net/hacking-starbucks/
Hackerone vulnerability report: https://hackerone.com/reports/876295