Recently, a bug bounty hunter discovered that an API key of Starbucks was exposed in a public GitHub repository, and reported the vulnerability through the HackerOne bug bounty platform. This flaw is Starbucks’ highest reward for serious vulnerabilities.
Researchers said that through the vulnerability, an attacker could access the company’s internal system through an API key, and could execute commands directly on the system to manipulate the list of authorized member users.
According to a report published by researchers on HackerOne, the Starbucks JumpCloud API key found in the public repository is:
It is reported that researchers reported the problem to Starbucks as early as October 17 this year, and provided a proof-of-concept (PoC) code for the problem, demonstrating how hackers can penetrate the system through this vulnerability, obtain user information, and control Amazon Web Services. Starbucks then resolved this issue by deleting the API key on October 21, and recently fixed the vulnerability, and related issues have been resolved.
Starbucks has nearly 21,300 stores around the world, covering North America, South America, Europe, the Middle East, and the Pacific, and has a huge number of members worldwide. Therefore, the patching of this vulnerability can be said to help Starbucks avoid a possible serious user information leak and network attack incident!