Starbucks: Improper handling of payment callback allows topping up a Swiss Starbucks Card bypassing actual payment via a crafted success message

ID H1:682617
Type hackerone
Reporter khovansky
Modified 2019-11-18T22:19:34


khovansky uncovered that an attacker could register on and utilizing that registration, subsequently generate a reset password email via

After resetting the password for the account, khovansky noticed this process auto generates a virtual Swiss Starbucks card. khovansky could then top up this virtual card without completing a transaction by forging a "payment successful" callback.

@khovansky — thank you for reporting this vulnerability and your assistance confirming the resolution.