Starbucks: Improper handling of payment callback allows topping up a Swiss Starbucks Card bypassing actual payment via a crafted success message

khovansky uncovered that an attacker could register on https://xtras.starbucks.ch and utilizing that registration, subsequently generate a reset password email via https://card.starbucks.ch After resetting the password for the account, khovansky noticed this process auto generates a virtual Swiss...