Hacking Starbucks for unlimited coffee

I encountered and reported this bug over <i>three</i> years ago. I decided not to write about it but considering that they still haven&#x27;t fixed it...<p><a href="http:&#x2F;&#x2F;chadscira.com&#x2F;post&#x2F;556999d91cb00914380006ee&#x2F;Re-Starbucks-unlimited-coffee#" rel="nofollow">http:&#x2F;&#x2F;chadscira.com&#x2F;post&#x2F;556999d91cb00914380006ee&#x2F;Re-Starbu...</a>

This is like punching a guy who hands you the wallet you just dropped.<p>This was entirely RESPONSIBLE DISCLOSURE.<p>They need to send a basket of muffins to the guy.<p>Surely they should take INTENT into account.<p>The interesting question is : How much has Starbucks lost because of this vulnerability ( the white hat may not have been the 1st to discover it ) ?

To add some context, starbucks do appear to invite whitehat security testing in a bug-bounty like manner:<p><a href="http:&#x2F;&#x2F;www.starbucks.com&#x2F;about-us&#x2F;company-information&#x2F;online-policies&#x2F;information-security-at-starbucks" rel="nofollow">http:&#x2F;&#x2F;www.starbucks.com&#x2F;about-us&#x2F;company-information&#x2F;online...</a><p>That means that Homakov was likely not breaking the law, and you would expect starbacks to be more welcoming of the report.

I have never used a gift card at starbucks before, but that bill [0] doesn&#x27;t make any sense to me.<p>He says he has two cards: One has $15, one has $5.<p>Card 3203 is billed $14.68 and card 6075 is billed $2.02.<p>The remaining balance on card 3203 is $0, card 6075 has $5.70 remaining.<p>If card 3203 had $15 and card 6075 had $5 before he used them, the remaining balance should have been $0.32 and $2.98, respectively...<p>That&#x27;s really me guessing, but it could be the $5 was just an example to explain the concept and in fact he used smaller values (e.g. $0.05) to be able to trigger the bug more often without generating too much cash... but he should have explained the bill somehow.<p>[0] <a href="http:&#x2F;&#x2F;sakurity.com&#x2F;img&#x2F;sbcheck.jpg" rel="nofollow">http:&#x2F;&#x2F;sakurity.com&#x2F;img&#x2F;sbcheck.jpg</a>

I told 2 companies that they are leaking email addresses (got spam on single-purpose addresses). One replied very kindly and asked for details, the other did not answer, after writing them publicly on twitter they blocked me there...<p>The misbehaving one was <a href="http:&#x2F;&#x2F;joby.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;joby.com&#x2F;</a> they build these awesome gorilla-pods. Do yourself a favor and buy one of the many clones. (got spam to joby.com.singlepurpose@mydomain.com)<p>More or less shady paypal-shops are the worst though :) (paypal hands your mail-adress out (I wonder why they do not relay communications like ebay))

Isn&#x27;t it true that using an UPDATE statement referencing the existing column&#x27;s value also works?<p>Pseudo-code:<p><pre><code> UPDATE account WHERE ... SET balance = balance - 5 </code></pre> If both sides of the transfer are handled this way, and then the balance of the transferrer is checked after to ensure it&#x27;s greater than 0 (rollback otherwise), won&#x27;t that suffice to handle the issue without having to use SELECT ... FOR UPDATE?<p>---<p>To further simplify this, you could include a WHERE balance &gt; [transfer amount] clause to the transferrer UPDATE query. If the number of rows updated is 1, UPDATE the transferee&#x27;s row. If the number of rows updated is 0, you&#x27;re done (tell the user they don&#x27;t have sufficient funds). Isn&#x27;t that right?

Relevant BBC story: <a href="http:&#x2F;&#x2F;www.bbc.com&#x2F;news&#x2F;technology-32844123" rel="nofollow">http:&#x2F;&#x2F;www.bbc.com&#x2F;news&#x2F;technology-32844123</a>

I guess the reason why they responded in such a way is to prevent any potential future &quot;tinkerers&quot; to get away by saying that they were just white-hats. I guess it would have been better to inform them before testing their payment system for errors.

Nice but I wouldn&#x27;t attempt to purchase something at a startbucks in the US where you will go to prison for a long time even if there was no malicious intent.

Transferring balances between accounts is hard. If you have any sort of sharding, all of a sudden you don&#x27;t get transaction safety in the transfer. You can have sharding for many reasons, such as different vendors, different locations, different releases and pure performance.<p>So, you transfer and hope for the best, typically everything will be fine.<p>Then you add an asynchronous job to go over the logs and reconcile the results - flagging fraud.<p>There are two ways of processing transactions. You can remove the money first and then add it to the new account. That will tend to show up as &quot;lost&quot; money when the customer sees a problem. Not really a good thing if you&#x27;re a service business (vs a bank).<p>The other way to go is add the money first and then remove it. That will allow money to be created (as in this case), but won&#x27;t result in customers seeing money disappear.<p>Finally, there may be a problem where they are reading from a cache to perform the transfer, and the read-copy is a little stale. Again, this would tend towards giving customer&#x27;s money.

Simple rule: if you don&#x27;t have the permission of the company to mess with their system, don&#x27;t do it. Why would you anyway? You don&#x27;t get paid and you spoil your integrity.

Off topic: what&#x27;s up with the guillemets in the code example? Does that actually work as a replacement for single&#x2F;double quotemarks in some shells? Mine just treats them as an ordinary character, e.g.<p><pre><code> print «Cookie: session=session1» «Cookie: session=session1»</code></pre>

Bring a $100 bill and say it&#x27;s all you have ;)

Unlimited starbucks coffee can also be had by visiting any large wildfire and scooping the ashes into a container full of water. It essentially the same thing.

Who wants to be a Starbucks-Crypto millionaire

I don&#x27;t see how this is different from finding an ingenious way to jimmy open the lock of the door at night, figuring out how to take cash from the register, and then phoning them up to tell them they need to spend money on a new door.

To be fair to the relevant authorities, the author does a terrible job of not sounding malicious.<p>That last paragraph in particular sounds more like a vindictive troublemaker than a concerned hypothetical and writing like that doesn&#x27;t help your case.