A bug is discovered that you can order coffee infinitely with Starbucks card


Starbucks cardSecurity consultant who had purchased and used itEgor HomakovDiscovered how to order coffee indefinitely using the vulnerability of cards and systems. Later, when I contacted Starbucks on this matter, it seems that it has evolved into an unexpected uproar.

Hacking Starbucks for unlimited coffee

Researcher who exploits bug in Starbucks gift cards gets rebuke, not love | Ars Technica

The Starbucks Card is a prepaid card that you can use at Starbucks stores, a service that comes with benefits like "Drink Ticket Gifts for every 5,000 yen Deposit". You can check the balance from the website, charge money, move money between the cards, etc. and you can easily charge it at the store.

On a website that can check and remit such Starbucks card's balance,Race conditionThere is a vulnerability called race condition. This is a common bug in sites handling money online, etc.

In a system in a race condition, there is a big problem that the final result will change depending on the timing of processing performed in parallel on the computer. Based on this phenomenon, Egor has succeeded in creating a state where coffee can be ordered indefinitely by hacking the processing path of the Starbucks card.

In order to cause a race condition, Egor purchased three Starbucks cards first, repeatedly remitting money between the cards while accessing the same Starbucks account with two different browsers. The balance was $ 5 (about 600 yen)Card AFrom the balance of 10 dollars (about 1200 yen)Card BMoved $ 5 to the above, about how to hack aboveProof of conceptConducted. As a result of the experiment, we have successfully increased the balance of Card B to 15 dollars (about 1,800 yen) while leaving $ 5 on Card A.

ByJ. Money

In addition, we will pay 16.70 dollars (about 2000 yen) using a total of $ 20 (about 2400 yen) for 2 cards in Starbucks in San Francisco to test whether the real store can also fail the processing of the card I succeeded in doing experiments and hacking processing here as well.

In the following receipt image, the card balance (SBUX Card x 6075 New Balance) is "5.70 dollars (about 700 yen)", but since the balance minus 16.70 dollars from 20 dollars should be 3.30 dollars, at the time of processing Clearly it has succeeded in improving the balance illegally. In addition, Egor says that he did not increase the balance by only a small amount using a bug, "It is aiming at the range that can not be legally entered into prison in the United States."

When Egor reported this problem to Starbucks, initially it seems to be said that he will pay a reward of 1,000 dollars (about 120,000 yen) as a result of discovering a bug, but later thanks from the actual staff Far from being told, "It is a malicious act", it is said that a telephone call caught the verification act in a real shop. On the other hand, Egor and some Twitter users who support him criticize Starbucks seriously, but Starbucks executives say "Starbucks stores are constantly monitoring for cheating. Mr. Egor has issued a statement saying that after having reported irregularities in Starbucks, we have installed safety devices to prevent this. "

in Note, Posted by logu_ii