
Hacking Starbucks for unlimited coffee - duked
http://sakurity.com/blog/2015/05/21/starbucks.html
======
chadscira
I encountered and reported this bug over _three_ years ago. I decided not to
write about it but considering that they still haven't fixed it...

[http://chadscira.com/post/556999d91cb00914380006ee/Re-
Starbu...](http://chadscira.com/post/556999d91cb00914380006ee/Re-Starbucks-
unlimited-coffee#)

~~~
veb
I'm lost.

You say in the end they "fixed" it (quotes included) and you yourself tested
it and it did actually seem fixed... but it's not according to OP.

I do apologise if I've missed something blatantly obvious here!

Was your method the same as OP by the way?

~~~
nandemo
It's called a regression.

Believe it or not, there's a lot of software organizations out there that
still get away with using anti-patterns like: not integrating code frequently,
not using modern source control systems, not using automated tests, not doing
security audits, and not doing incident reviews.

~~~
akshatpradhan
Part of the SDLC!

------
deepnet
This is like punching a guy who hands you the wallet you just dropped.

This was entirely RESPONSIBLE DISCLOSURE.

They need to send a basket of muffins to the guy.

Surely they should take INTENT into account.

The interesting question is : How much has Starbucks lost because of this
vulnerability ( the white hat may not have been the 1st to discover it ) ?

~~~
chadscira
It fascinates me that a $80B publicly traded company that is one of the
leaders in gift cards doesn't take security more seriously...

They seriously need to invest in security :/, im sure they have lost a good
amount of money to this issue considering that its been around since 2012.

~~~
deepnet
Did they fix it ?

Perhaps they cannot fix it ?

Maybe their IT is in denial ?

Interested to see a follow-up report.

~~~
chadscira
When i initially reported it, it felt like they quickly had me speaking
directly with the person that was possibly at fault in order to fix the
problem. But at the same time it did feel like they were internally sweeping
it under the rug.

I think its more likely that they hid the fact that this happened/was
happening and that resulted in this issue resurfacing.

------
wepple
To add some context, starbucks do appear to invite whitehat security testing
in a bug-bounty like manner:

[http://www.starbucks.com/about-us/company-
information/online...](http://www.starbucks.com/about-us/company-
information/online-policies/information-security-at-starbucks)

That means that Homakov was likely not breaking the law, and you would expect
starbacks to be more welcoming of the report.

~~~
qq66
The thing about big companies is that the person responding to the inbound
communcation is usually in a totally separate department from the person who
wrote the policy, and often doesn't know the policy exists. It's really hard
to get a group of 50,000 people to act consistently with each other.

Of course, I hope for Starbucks' sake that it quickly backtracks and thanks
this guy with at a minimum a bunch of free Starbucks and a phone call or email
from the CIO or CEO. It's not in Starbucks' interest to dissuade white hat
hacking, since black hat hackers don't care about Starbucks' policies.

------
CookWithMe
I have never used a gift card at starbucks before, but that bill [0] doesn't
make any sense to me.

He says he has two cards: One has $15, one has $5.

Card 3203 is billed $14.68 and card 6075 is billed $2.02.

The remaining balance on card 3203 is $0, card 6075 has $5.70 remaining.

If card 3203 had $15 and card 6075 had $5 before he used them, the remaining
balance should have been $0.32 and $2.98, respectively...

That's really me guessing, but it could be the $5 was just an example to
explain the concept and in fact he used smaller values (e.g. $0.05) to be able
to trigger the bug more often without generating too much cash... but he
should have explained the bill somehow.

[0] [http://sakurity.com/img/sbcheck.jpg](http://sakurity.com/img/sbcheck.jpg)

~~~
cokernel
That's exactly right. In the comments Homakov mentions that the $15 and $5
figures have been "adjusted for simplicity".

------
anotheryou
I told 2 companies that they are leaking email addresses (got spam on single-
purpose addresses). One replied very kindly and asked for details, the other
did not answer, after writing them publicly on twitter they blocked me
there...

The misbehaving one was [http://joby.com/](http://joby.com/) they build these
awesome gorilla-pods. Do yourself a favor and buy one of the many clones. (got
spam to joby.com.singlepurpose@mydomain.com)

More or less shady paypal-shops are the worst though :) (paypal hands your
mail-adress out (I wonder why they do not relay communications like ebay))

~~~
Scoundreller
I think Ebay stopped because buyers would get in touch directly with a seller
to do re-orders (sometimes at a discount).

Sellers used to be able to Ebay message non-winning bidders and offer them
product at whatever they bid at. Sellers would also link buyers to their web-
store for that item or related ones. Ebay blocks those kinds of messages. Now
sellers do it with a paper pamphlet with your package.

Paypal, on the other hand, _wants_ you to do more transactions, outside of
Ebay or not, because they would likely still be the payment processor and get
their cut.

It took a while for Ebay to integrate Paypal into the buying process (I'd
argue they never really did), so they seemed to always operate semi-
independently with non-aligned interests with their parent.

------
mangeletti
Isn't it true that using an UPDATE statement referencing the existing column's
value also works?

Pseudo-code:

    
    
        UPDATE account WHERE ... SET balance = balance - 5
    

If both sides of the transfer are handled this way, and then the balance of
the transferrer is checked after to ensure it's greater than 0 (rollback
otherwise), won't that suffice to handle the issue without having to use
SELECT ... FOR UPDATE?

\---

To further simplify this, you could include a WHERE balance > [transfer
amount] clause to the transferrer UPDATE query. If the number of rows updated
is 1, UPDATE the transferee's row. If the number of rows updated is 0, you're
done (tell the user they don't have sufficient funds). Isn't that right?

~~~
barrkel
The issue (as I understand it) was transferring balance from one card to
another. So two rows need updating, one with an increment, the other with a
decrement.

~~~
jlgaddis
I'm not a developer (I generally only write shell/Perl/Python scripts to make
my own job easier) or a database expert but wouldn't this issue be pretty easy
to avoid if the whole process were wrapped up in a transaction? E.g.:

    
    
      BEGIN TRANSACTION;
      SELECT balance AS balance1 FROM giftcards WHERE gift_card_id = 1;
      SELECT balance AS balance2 FROM giftcards WHERE gift_card_id = 2;
      UPDATE giftcards SET balance = balance1 - 5 WHERE gift_card_id = 1;
      UPDATE giftcards SET balance = balance2 + 5 WHERE gift_card_id = 2;
      END TRANSACTION;
    

Obviously, this is somewhat simplified and you'd have various checks to make
sure _balance1_ was actually >= 5, etc.

Again, I'm not a developer, so what am I missing?

~~~
ryanjshaw
Transactions do not necessarily get processed serially. For example, if there
were two concurrent requests and request #1 had just completed the first
UPDATE when request #2 jumps in and performs the first two SELECTs, then
request #2 will incorrectly update the balance for card #2. Different database
systems offer different ways to serialize transactions, usually with a cost of
performance and complexity.

Note that the post says: > The only right way to do it is a pessimistic lock
(FOR UPDATE clause).

This is not true. Banks deal with this problem all the time. You don't have to
use a database engine as the serializer, despite what all the books tell you.
My preference would be to explicitly serialize transactions rather than rely
on database tricks - i.e. write accounting entries to ledgers and have a
service that processes those entries on a single thread. For many scenarios
this is more than good enough. If you needed lower latency, you could process
this all in memory and use the database purely to replay the transaction log
on restart for unprocessed transactions. In either implementation you could
implement optimizations to process entries on different threads.

~~~
mangeletti
If you make 2 updates, check the balance to ensure > 0, and rollback if < 0,
and you do all of this in a transaction, doesn't concurrency no longer matter?
If another transaction beats you to the punch, won't the balance check query
reflect that?

~~~
TheLoneWolfling
Nope - this can happen with cards with a balance above zero too.

Look at what happens if you start two transfers of 1/2 the money from A to B.

------
llamataboot
Relevant BBC story:
[http://www.bbc.com/news/technology-32844123](http://www.bbc.com/news/technology-32844123)

~~~
ISL
HN, where news becomes news.

------
egeozcan
I guess the reason why they responded in such a way is to prevent any
potential future "tinkerers" to get away by saying that they were just white-
hats. I guess it would have been better to inform them before testing their
payment system for errors.

------
sschueller
Nice but I wouldn't attempt to purchase something at a startbucks in the US
where you will go to prison for a long time even if there was no malicious
intent.

------
jpollock
Transferring balances between accounts is hard. If you have any sort of
sharding, all of a sudden you don't get transaction safety in the transfer.
You can have sharding for many reasons, such as different vendors, different
locations, different releases and pure performance.

So, you transfer and hope for the best, typically everything will be fine.

Then you add an asynchronous job to go over the logs and reconcile the results
- flagging fraud.

There are two ways of processing transactions. You can remove the money first
and then add it to the new account. That will tend to show up as "lost" money
when the customer sees a problem. Not really a good thing if you're a service
business (vs a bank).

The other way to go is add the money first and then remove it. That will allow
money to be created (as in this case), but won't result in customers seeing
money disappear.

Finally, there may be a problem where they are reading from a cache to perform
the transfer, and the read-copy is a little stale. Again, this would tend
towards giving customer's money.

------
__m
Simple rule: if you don't have the permission of the company to mess with
their system, don't do it. Why would you anyway? You don't get paid and you
spoil your integrity.

~~~
nkozyra
Why do it? Ostensibly so it's fixed before someone with malicious intent can
get to it. But sometimes for minor fame or for a bounty.

For Starbucks, it's GOOD. It means they're out $2 and some embarrassment
instead of out millions when someone sees something is way off in the books.

All that said, I would have tested this more than once to ensure it wasn't
some minor built in allowance.

~~~
seanp2k2
While you're absolutely right, unless there's something in it for you beyond
curiosity / because you can, the risks much outweigh the benefits IMO.

Why would you help a for-profit company for free? Would they do the same for
you? What is the best-possible scenario, a reward / job offer / gift
certificate? What is the worst-possible scenario? Years in prison? Legal cases
which drain all your savings? It hardly seems worth it to do this. Software
vulnerabilities are EVERYWHERE, but trying to be a Good Samaritan in a hostile
capitalistic environment doesn't tend to work out in your favor very often.

~~~
dionyziz
If you want to look at it rationally, he has pretty good chances of getting a
good job in security now. It's likely he's looking at proposals by Google,
Facebook, etc. Good recruiters love these kinds of things (and should, as they
are a great measure of who is a passionate hacker).

------
dbbolton
Off topic: what's up with the guillemets in the code example? Does that
actually work as a replacement for single/double quotemarks in some shells?
Mine just treats them as an ordinary character, e.g.

    
    
        print «Cookie: session=session1»                                        
        «Cookie: session=session1»

------
mpg33
Bring a $100 bill and say it's all you have ;)

------
dkhenry
Unlimited starbucks coffee can also be had by visiting any large wildfire and
scooping the ashes into a container full of water. It essentially the same
thing.

~~~
54mf
Cool, cool, very productive, thanks for your input. Your coffee opinions are
very relevant to this discussion, and have been duly noted.

------
paulpauper
Who wants to be a Starbucks-Crypto millionaire

------
Almaviva
I don't see how this is different from finding an ingenious way to jimmy open
the lock of the door at night, figuring out how to take cash from the
register, and then phoning them up to tell them they need to spend money on a
new door.

~~~
nothrabannosir
Am I missing something, or did you describe every bug bounty program
everywhere? Isn't this exactly the definition of a security bug?

Even in your dry analogy, what's the problem? Would you not want people to
tell you they found a very easy way to take money out of the register?

Not that it matters; this is text-book, industry standard security bug
reporting. He waited with the public disclosure until it was fixed.

(If he didn't; different story. Maybe I misunderstood that part? Was that it?)

~~~
titanomachy
> After trying really hard to find anyone who cares, I managed to get this bug
> fixed in like 10 days.

Sounds like it did get fixed, but it was a little confusing because he goes on
to talk about how he could make millions counterfeiting gift cards.

~~~
intrasight
Indeed. The author and the article lost what little credibility that existed
at that point.

~~~
TheCowboy
How did he have little credibility? And how did he lose it?

He spent his own time helping Starbucks improve their security. Starbucks
insinuates or suggests he committed fraud and malicious actions for finding
AND trying to alert them of the problem so that it could be fixed. Starbucks
was out of line here, not him.

While not eloquently expressed, it should still be obvious to most readers of
this site that he is not implying that next time he will go and steal millions
when he finds a bug. He is articulating that corporations that respond this
way create a culture where they will only find out about vulnerabilities when
it's too late, because no one will want anything to do with them.

If anything, the more serious bug is the attitude of Starbucks as an
institution here, and people not holding Starbucks accountable.

------
unimpressive
To be fair to the relevant authorities, the author does a terrible job of not
sounding malicious.

That last paragraph in particular sounds more like a vindictive troublemaker
than a concerned hypothetical and writing like that doesn't help your case.

~~~
gsam
To be a good security researcher, no doubt it often takes a devious mind. Now
whether or not this deviousness is used for good or evil depends on
temperament, upbringing and acceptance or ignorance by other parties.

You don't piss off a hacker. And these people have miles more persistence than
other people. That's what makes these people good. I'm not saying they should
flagrantly abuse laws but the morality and mentality of these people is
usually break first and then think about the consequences. And that's exactly
why lots of holes never get reported.

