Starbucks: Possible subdomain takeover at openapi.starbucks.com


@benoculars was able to take advantage of a process flaw to use some of the space provided for openapi.starbucks.com. While we were still securely serving content from this domain and it did not impact users or operations, it would have been possible for @benoculars to serve content from unique URLs not in use by our apps & services. In the past, others have reported that they suspected this to be vulnerable for subdomain takeover but no one had provided evidence. Similarly, we initially closed this report, considering it a false positive. @benoculars then went one step further to provide a non-destructive PoC demonstrating his ability to serve content from our domain. Based on the PoC & repro steps provided, a flaw was identified in the approval process which required human interaction. This was unique in that, given the root cause, it may not have always resulted in a successful takeover. To resolve the issue, operational and platform code changes were introduced. Thanks @benoculars for going the extra step to create that PoC & answer our questions about repro steps. Nice work!