Vulnerability Management

Method identified to generate unlimited Starbucks gift card funds

A hacker with security firm Sakurity identified a way to generate unlimited funds on Starbucks gift cards.

Egor Homakov explained in a Thursday blog post how he was able to create multiple transfers between different gift cards by using the same Starbucks.com personal account from two different browsers – with different session cookies.

Homakov referred to the vulnerability as a race condition, which he indicated is common in websites that handle balances.

The end result is that one gift card has additional funds and Homakov has more Starbucks money than he started out with. He tested the card in a shop to prove it worked, and then added some funds to his account to pay back Starbucks.

The bug has been fixed, but Homakov noted that disclosing it to Starbucks was a lengthy and unpleasant process.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.