Starbucks gift card hack that allows for unlimited funds discovered

25 May 2015

A security researcher stumbled across a vulnerability on Starbucks’ gift card that would allow customers to access unlimited funds, and now the company is coming down hard on him even though he alerted them to the flaw.

The researcher in question was a man called Egor Homakov from Sakurity, who posted to Sakurity blog about the vulnerability, which came about through testing after he had bought three US$5 Starbucks gift cards.

He examined whether it would be possible to run a vulnerability known as a ‘race condition’, which is commonly found in systems such as gift cards, and began transferring the funds from the first card onto the second card twice using this exploit, to give him a new total of US$20.

To see whether it would work in stores, however, Homakov went to his nearby Starbucks and began racking up a bill of US$16.70, with no signs that the system was picking up the flaw.

White-hat endeavours not appreciated

After topping up the card again to bring his spending in line with what he should have actually paid, as a sign of fairness, he then made numerous futile attempts to contact Starbucks’ IT department, and after getting nowhere decided to fix the bug himself in a period of 10 days.

Sadly for Homakov, this didn’t go down to well with the coffee giant, which, according to Homakov, has now threatened him with legal action for his white-hat endeavours.

“The unpleasant part is a guy from Starbucks calling me with nothing like ‘thanks’ but mentioning ‘fraud’ and ‘malicious actions’ instead. Sweet!,” Homakov said.

Speaking to Ars Technica, Homakov claimed this was far from a previous discussion he had with the company, which claimed it would offer a bounty of US$1,000 for any bugs found.

In the final paragraph of his blog, Homakov almost passive aggressively said he could have done a lot of damage if he had not reported it: “I could create a simple bunch of fake gift cards bought around the world, silently generate credits on them and sell Starbucks credits online for bitcoin with, say, 50pc discount.

“It would easily make me a couple of millions of dollars unless Starbucks actually tracks gift card balances. I don’t know for sure, it’s just a wild guess that this bug could be pretty profitable.”

Starbucks logo image via Shutterstock

Colm Gorey was a senior journalist with Silicon Republic