Security authorities at Starbucks left an API (Application Programming Interface) key online without password protection, that could be used by attackers to access internal systems and manipulate the list of authorized users.
The issue came to light after an Indian security researcher Vinoth Kumar found the open key in a public GitHub repository and reported to Starbucks.
The researcher discovered the flaw in a vulnerability bug bounty platform conducted by HackerOne. “While going through Github search I discovered a public repository which contains Jumbcloud API Key of Starbucks.” Vinod Kumar said.
“Vinothkumar discovered a publicly available Github repository containing a Starbucks JumpCloud API Key which provided access to internal system information,” said HackerOne.
After further analysis, Starbucks rated the flaw as “critical” as the key was left exposed online that allowed attackers to access Starbucks JumpCloud API. JumpCloud is an Active Directory Management platform that provides user management, web app single sign-on (SSO) access control, and Lightweight Directory Access Protocol (LDAP) service.
It’s said that the vulnerability can allow attackers to perform various activities like, execute commands on systems, add/remove users which has access to internal systems, and potentially AWS account takeover.
Starbucks acknowledged Kumar’s proof-of-concept (PoC) of the vulnerability and rewarded him with US$ 4,000 bounty for reporting the flaw.
“Thank you for your patience! We have determined that this report demonstrates “significant information disclosure and is therefore eligible for a bounty,” stated Starbucks. “At this time, we are satisfied with the remediation of the issue and are ready to move to closure. Thank you again for the report! We hope to see more submissions from you in the future.”
In a similar bug bounty program, Laxman Muthiyah, an Indian-based security researcher, discovered a bug in Instagram’s Account Recovery Process that could have allowed attackers to break into users’ accounts. The Facebook-owned Instagram rewarded the researcher with a bounty of US$ 10,000 for reporting the vulnerability.
The researcher said that he found the vulnerability while investigating how the account recovery process of the photo-sharing application allows the user to regain access to the account when the user forgot the password.
According to Muthiyah, the Instagram server used device ID as a unique identifier to validate password reset codes. “When a user requests a passcode using his / her mobile device, a device ID is sent along with the request. The same device ID is used again to verify the passcode,” Muthiyah said in a statement.