Starbucks: Improper handling of payment callback allows topping up a Swiss Starbucks Card bypassing actual payment via a crafted success message

2019-08-27T07:35:06
ID H1:682617
Type hackerone
Reporter khovansky
Modified 2019-11-18T22:19:34

Description

khovansky uncovered that an attacker could register on https://xtras.starbucks.ch and utilizing that registration, subsequently generate a reset password email via https://card.starbucks.ch

After resetting the password for the account, khovansky noticed this process auto generates a virtual Swiss Starbucks card. khovansky could then top up this virtual card without completing a transaction by forging a "payment successful" callback.

@khovansky — thank you for reporting this vulnerability and your assistance confirming the resolution.