

Researcher who exploits bug in Starbucks gift cards gets rebuke, not love - shawndumas
http://arstechnica.com/security/2015/05/researcher-who-exploits-bug-in-starbucks-gift-cards-gets-rebuke-not-love/

======
BoxKeyboard
White hat security has got to be one of the most important but thankless
fields in computer science today.

At best, there are bug bounties that may or may not be worth it depending on
the severity of what you find and how many hours you poured into it.

Frequently, you get shit like this where the threat of imprisonment is very
real (not that I think anything will come of this because it would be a PR
nightmare, but the threat still looms).

And of course, at worst, we all can read about what happened to weev
(admittedly exacerbated by him being a complete tool).

------
yvoschaap2
The blog post by Egor describing the exploit:
[http://sakurity.com/blog/2015/05/21/starbucks.html](http://sakurity.com/blog/2015/05/21/starbucks.html)

------
sbpayne
My problem is this line: "As a professional penetration tester, Homakov knows
better than most people that hackers should never access someone else's
computer network or account without explicit permission."

He did neither of this. He used forms that Starbucks had in place (which they
expect customers to use).

------
hartator
> But Homakov seems to act as if he had some special ethical and legal right
> to make the fraudulent purchase, even though Starbucks had never asked for
> his security services.

I don't get why Ars is harsh against him. $1.70 is a grand scheme of things is
nothing. Even if he was using it for x10 more without paying it back, it's
still nothing.

~~~
justinschuh
From my own experience, actually making the purchase is likely to be perceived
negatively. He had already successfully demonstrated the race condition
allowing the transfer, so he had enough to clearly make his point. That
stated, were I in Starbucks' position I'd lead with a big "thank you" before
explaining the liabilities and why he shouldn't go so far to make his point in
the future.

Also, in the interest of full disclosure, I should state that my team has
interacted with Homakov on a number of Chrome vulnerability reports. In my
experience he's very sharp, he finds interesting bugs, and my impression is
that he's generally trying to do the right thing. However, I can definitely
see how his communication style might not come across very well, particularly
to a security team that's not used to dealing with the security research
community.

