Starbucks: Improper handling of payment callback allows topping up a Swiss Starbucks Card bypassing actual payment via a crafted success message
2019-08-27T07:35:06
ID H1:682617 Type hackerone Reporter khovansky Modified 2019-11-18T22:19:34
Description
khovansky uncovered that an attacker could register on https://xtras.starbucks.ch and utilizing that registration, subsequently generate a reset password email via https://card.starbucks.ch
After resetting the password for the account, khovansky noticed this process auto generates a virtual Swiss Starbucks card. khovansky could then top up this virtual card without completing a transaction by forging a "payment successful" callback.
@khovansky — thank you for reporting this vulnerability and your assistance confirming the resolution.
{"id": "H1:682617", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Starbucks: Improper handling of payment callback allows topping up a Swiss Starbucks Card bypassing actual payment via a crafted success message", "description": "khovansky uncovered that an attacker could register on https://xtras.starbucks.ch and utilizing that registration, subsequently generate a reset password email via https://card.starbucks.ch \n\nAfter resetting the password for the account, khovansky noticed this process auto generates a virtual Swiss Starbucks card. khovansky could then top up this virtual card without completing a transaction by forging a \"payment successful\" callback.\n\n@khovansky \u2014 thank you for reporting this vulnerability and your assistance confirming the resolution.", "published": "2019-08-27T07:35:06", "modified": "2019-11-18T22:19:34", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/682617", "reporter": "khovansky", "references": [], "cvelist": [], "lastseen": "2019-11-20T17:03:04", "viewCount": 0, "enchantments": {"dependencies": {"references": [], "modified": "2019-11-20T17:03:04", "rev": 2}, "score": {"value": 1.1, "vector": "NONE", "modified": "2019-11-20T17:03:04", "rev": 2}, "vulnersScore": 1.1}, "bounty": 0.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/starbucks", "handle": "starbucks", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/001/989/c9aa38cf3b1a91daa085d31e23d23f34cd1874df_original./3afcb5c896247e7ee8ada31b1c1eb8657e22241f911093acfe4ec7e97a3a959a", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/001/989/c9aa38cf3b1a91daa085d31e23d23f34cd1874df_original./eb31823a4cc9f6b6bb4db930ffdf512533928a68a4255fb50a83180281a60da5"}}, "h1reporter": {"disabled": false, "username": "khovansky", "url": "/khovansky", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/b4CZoMwTLiLHH7TrWuLQn5hY/3afcb5c896247e7ee8ada31b1c1eb8657e22241f911093acfe4ec7e97a3a959a"}, "is_me?": false, "cleared": false, "hackerone_triager": false, "hacker_mediation": false}, "immutableFields": []}
