Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneZudeH1:767829
HistoryJan 03, 2020 - 7:32 p.m.

Starbucks: Account take over of 'light' starbuckscardb2b users

2020-01-0319:32:55
zude
hackerone.com
119
JSON

This issue was found on https://www.starbuckscardb2b.com, this website belongs to starbucks and its is a critical vulnerability so I am reporting this.

Issue: An attacker can takeover the account of the victim by creating a new account by using victim’s (who is already registered) email address.

Steps to reproduce are as follows:

  1. Open https://www.starbuckscardb2b.com and go to create account.
  2. for example user successfully created the account with [email protected] and password 12345678
  3. Now attacker will create the account with the email used in step 2 [email protected] with different password.
  4. After completion of step 3 the password for the [email protected] user will be set to the password used by attacker.
  5. This will result in the account take over by attacker.

Impact

An attacker can take over the control of any/all registered users.

JSON