

Starbucks "Tweet a Coffee" potential security vulnerability - shortstuffsushi

Starbucks has recently implemented a program allowing you to tweet @tweetacoffee to @... (https:&#x2F;&#x2F;www.starbucks.com&#x2F;tweet-a-coffee).<p>This in itself seems innocent enough, but given the frequency with which Twitter accounts are hacked, this seems a potential security issue.<p>As a hacker, if I scrape Twitter for anyone who has <i>ever</i> used this functionality (basically anyone who has tweeted @tweetacoffee), I can see which account are tied to Starbucks, and subsequently target those accounts.<p>If I gain access to even a single one of those accounts, I can then send myself, or anyone really, money. Up to this point, when your account got hacked on Twitter, you basically just had to deal with embarrassing tweets or phishing attempts. Now hackers have direct access to your credit card.<p>Does anyone else agree with this, or am I totally out there on this?
======
heavymark
Yeah, same with all these new services popping up like Square Cash that if you
have access to someone's email you can send money to anyway without any other
verification.

I think it comes down to convenience outweighing the downsides. Since for most
people it won't be an issue and for anyone it does happen to, they would
simply notify their Bank immediately who would simply void the charges while
they look into the fraud. I assume Twitter or Starbucks sends a receipt email
after a Tweetacoffee occurs.

It would make sense to require users to enable double authentication in
Twitter to be able to use the send money feature or in gmail to use Square
Cash but doubt that would ever happen since people can already enable double
authentication and the people who don't, don't know how to or don't want to
and forcing them to would defeat the whole purpose which is convenience.

Good point though and will be interesting to see what happens with all of
these services.

------
jaxbot
Right, but this isn't really a vulnerability, just a fact of the matter that
when an account has credit card info attached to it, it can be exploited.
There are probably much easier (and less detectable) ways to steal money than
trying to crack into Twitter accounts.

