Mohamed M. Fouad, an independent security researcher, reported on his blog that he found three critical vulnerabilities on Starbucks' website that put customers' banking details at risk.
The vulnerabilities could allow an attacker to perform remote code execution on the company's server as well as phishing attacks via a remote file inclusion vulnerability. A cross-site request forgery (CSRF) could allow attackers to hijack a store account, including payment history, with just one click.
Motivated by a bug bounty program initiated by Starbucks, Fouad began his examination of its website code and discovered the flaws which, he said, could add alternative emails to an account, change profile settings and, ultimately, enable an attacker to siphon off credit card details.
As a proof of concept, Fouad included a video on his post demonstrating the attack, and reported the flaws to the company and US-CERT. While he heard back from US-CERT that the flaws had been fixed, he still has not heard from Starbucks regarding his bug bounty.