Researcher who exploits bug in Starbucks gift cards gets rebuke, not love

Plenty of poor manners to go around in fraudulent $1.70 purchase.

Dan Goodin – May 24, 2015 9:00 am | 164

A security researcher said he found a way to game Starbucks gift cards to generate unlimited amounts of money on them. Both he and the coffee chain are grumbling after he used a fraudulent card to make a purchase, then repaid the amount and reported the vulnerability.

Egor Homakov of the Sakurity security consultancy found a weakness known as a race condition in the section of the Starbucks website responsible for checking balances and transferring money to gift cards. To test if an exploit would work in the real world, the researcher bought three $5 cards. After a fair amount of experimentation, he managed to transfer the $5 balance from card A to card B, not just once as one would expect, but twice. As a result, Homakov now had a total balance of $20, a net—and fraudulent—gain of $5.

The researcher went on to visit a downtown San Francisco Starbucks location to make sure his attack would actually work. He used the two cards to make a $16.70 cent purchase. He went on to deposit an additional $10 from his credit card “to make sure the US justice system will not put us in jail over $1.70,” he explained in a blog post. Here’s where hurt feelings—and arguably an overreaction on the part of both parties—entered into the story. Homakov wrote:

The hardest part – responsible disclosure. Support guy honestly answered there’s absolutely no way to get in touch with technical department and he’s sorry I feel this way. Emailing InformationSecurityServices@starbucks.com on March 23 was futile (and it only was answered on Apr 29). After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days.

The unpleasant part is a guy from Starbucks calling me with nothing like “thanks” but mentioning “fraud” and “malicious actions” instead. Sweet!

In an e-mail, Homakov told Ars the Starbucks person who mentioned fraud and malicious actions wasn’t an attorney threatening any kind of legal action, but rather a member of the Starbucks infosec team. But it was a far cry from an earlier phone call, Homakov said, in which a Starbucks official promised to pay a $1,000 bug bounty reward.

“It was just completely uncalled for claiming that I committed fraud,” Homakov said of the latter call. “It made me angry.”

The versions of events as described by Homakov don’t reflect well on Starbucks, but they don’t reflect well on the researcher either. Yes, $1.70 is a small amount of money, and he attempted to credit it back to Starbucks even before he reported the vulnerability. But ultimately, Homakov did create a fraudulent balance on a gift card and he used it to make a real purchase. As a professional penetration tester, Homakov knows better than most people that hackers should never access someone else’s computer network or account without explicit permission.

Homakov and his many defenders on Twitter seem to reason that his admirable intentions behind the fraudulent purchase should serve as some sort of get-out-of-jail-free card for actions that were technically a crime. No doubt, Starbucks would have done better to simply thank Homakov for the free security audit. But Homakov seems to act as if he had some special ethical and legal right to make the fraudulent purchase, even though Starbucks had never asked for his security services.

Starbucks officials released the following statement:

Like all major retailers, Starbucks has safeguards in place to constantly monitor for fraudulent activity. After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication.

While we aren’t able to go into specifics about individual contacts, we have had strong success partnering with the research community and will continue to welcome engagements.