back to article Hacker uses Starbucks INFINITE MONEY for free CHICKEN SANDWICH

Sakurity hacker Egor Homakov has found a way to dupe Starbucks into loading free cash onto the "coffee" chain's payment cards. Homakov says a race condition within Starbuck's card purchase system means money can be transferred between cards without it being deducted. The bug hunter exploited the bug and tested it by …

  1. PleebSmash

    free lunch

    OMG it was unethical that he bought a few dollars of free grub using an exploit... even though he paid back the difference. Choke on it.

    Here's a Redditard I can agree with:

    "You should always get authorization to perform an attempt to exploit a system. If someone does not want to pay for sufficient pen testing or have outside security companies review their code, then that's their own problem. People don't need to do this stuff out of the goodness of their heart. If anything, giving freebies like this encourages companies to be careless and not spend money on proper testing."

  2. Haku
    Facepalm

    "The exploitation of discovered bugs is widely-considered bad practise and will usually result in the forfeiture of paid bounties, and occasionally in legal action."

    But Shirley they can't be serious about that because in some instances you have to exploit the bug you think you've discovered to test and see if it actually works

    Isn't all the "we'll sue the goddamn hell out of anyone that discovers bugs in our system!" attitude from major companies stifling creative thinking or simply making sure that when bugs are discovered they're not disclosed to anyone with the power to fix them and so used to exploit the system?

    1. Anonymous Coward
      Anonymous Coward

      Unlicensed Disclosures

      will soon get said researchers in prison.

      1. Haku

        Re: Unlicensed Disclosures

        I'm sure there have been plenty of people who've discovered flaws/bugs in systems over the decades but never used them to their advantage or disclosed them to anyone for fear of serious negative consequences, starting with the company asking "So why were you poking around in ---- when you know you're not allowed?".

  3. Notas Badoff
    Thumb Down

    Appreciation?

    "However Starbucks did not appreciate the ... hacker's quiet disclosure ..."

    Well, now that the corporation's stance regarding disclosure has been stated publicly, the next bug permitting fraud will be announced on-stage with widespread reporting. Let's see them then take 10 days to fix the monetary leak. Why doesn't any corporation think about "next time"?

    1. toughluck

      Re: Appreciation?

      Because it's hard for non-tech companies to grasp certain key concepts. Thanks to Hollywood, they have very flawed analogies and terrible understanding of security exploits.

      They work on a safe wall analogy. Suppose it takes two weeks to drill a hole in a safe wall. Day after day, the safecracker drills away at it, and after 14 days, he succeeds. To them, a hacker does mostly the same thing. There is an attack, security becomes weaker, and after a certain number of attacks, they're exposed. So they "harden" their systems to sustain more such attacks, much like a bank might install thicker walls, electrify them, and so on.

      They also imagine that their IT security team (if they have any) actively engages hackers to mitigate such attacks (again, thank you, Hollywood).

      So for them, there's no concept of "next time". They don't understand that their systems have exploits that completely circumvent every safeguard there are in place. And to them, it's completely acceptable to them that a hacker whittles away at their systems. After all (another set of flawed analogies):

      - it's just one person;

      - even if he succeeds, the damage will be limited;

      - nobody else will be able to use his exploit.

      --

      I realize that hacking is not ethical. I realize there are no "victimless crimes". I can't say that I wish they are hacked over and over until they learn. I won't even say they deserve being hacked.

      However, pride goes before the fall. They leave themselves completely open for exploitation. There will be people who take advantage of this. The next hacker that comes along may not be a white hat, or even an off-white hat. And the inevitable next exploit may crush the company completely.

      1. Alan Brown Silver badge

        Re: Appreciation?

        "They work on a safe wall analogy. "

        To use that analogy, explain to them that the back wall of the vault turns out to be made of wood, backs onto an alley and has an unlocked door in it.

  4. king of foo

    the moral of the story

    If you find a bug, and a company doesn't have a bounty scheme in place, there is such a thing as a free lunch.

    Now eat, and drink, and be merry. And tell all your friends...

    ...because they don't deserve the benefit of your goodwill and will likely act like twats instead of being appreciative.

    Sometimes you have to do bad to do good...

    1. Thorne

      Re: the moral of the story

      "And tell all your friends"

      Don't tell your friends. The more people use it the sooner it will be picked up.

      If you don't tell anyone you can dine for free for life........

      1. John Robson Silver badge

        Re: the moral of the story

        Dine? At StarF^HBucks?

  5. whateva

    Is there a bigger fool than someone who would do pro bono work for one of the largest and richest companies in the world? Corporations murder people everyday, because bean counters calculate that it would be cheaper to settle a few wrongful death lawsuits than it would be to recall and fix the problems with their products. And then some sucker like this comes along, 'I found a way to steal couple bucks from you. Can I have a pat on the head and a chicken sandwich for my trouble?'

    I hope they do sue this guy, if only so his type will eventually wise the hell up.

    1. Anonymous Coward
      Anonymous Coward

      Exactly! Thanks for stating it. +100%

      People really should pay attention to the fact that the current version of "BigCorp" (or maybe even all of today's capitalism) is no longer your friend, but a stranger. Soon it may be your enemy no matter what, even if you try to help them, like this dumb sucker just found out. I am opinionated, but I'm having a hard time seeing proof to change my opinion (so far it has been impossible).

      1. Destroy All Monsters Silver badge
        Thumb Down

        They are just selling "coffee", not droning people with big government bucks money allocated from taxpayers by do-gooder liberventionists, FFS!

    2. ecofeco Silver badge

      Exactly. BigCorp is NOT and never will be, your friend. In fact, they are trying their hardest to fuck you every day and because most people are morons, BigCorp is succeeding.

      NEVER give them anything for free.

  6. Anonymous Coward
    Anonymous Coward

    Yet when Starbucks use similar "hacks" to exploit the tax system the bugs don't get fixed.

    1. A Nother Handle

      Those aren't hacks, they're features.

      1. NumptyScrub
        Coat

        Starbucks simply exploit a validation issue in the transfer pricing codebase. It's not illegal to do so...

        1. Anonymous Coward
          Anonymous Coward

          What's this about, I missed all news of them exploiting taxes. How does it work :-)

          1. Destroy All Monsters Silver badge
            Holmes

            Only tard who haven't realized that taxes ARE exploitation are paying attention to those kinds of things.

  7. thomas k.

    "... finds cheeky exploit a bitter taste"

    Kind of like their coffee then.

    1. Lamont Cranston

      Re: "... finds cheeky exploit a bitter taste"

      Coffee is bitter, but Starbucks only serve warm milk.

      1. Tromos

        Re: "... finds cheeky exploit a bitter taste"

        warm watered-down milk

  8. Herby

    This sounds to me like...

    ...how the government (pick one) works. They move money around so many ways from Sunday, and always come up with more and more to move around.

    Of course they seem to own the printing presses that "make" money. I wish I could do the same (legally), but alas.

    Don't get me started on BitCoin. Any currency needs an army behind it to be truly legitimate.

  9. Anonymous Coward
    Anonymous Coward

    No excuse to hack

    If you have a legitimate concern with security, it's worth contacting the associated entity and reporting it. It's not necessary to hack for proof of concept. Public disclosure of the details how to perform the hack is also unacceptable.

    1. Bucky 2

      Re: No excuse to hack

      As much as I like to picture corporations like Starbucks as faceless organizations, ultimately the reaction to the hack is going to come from an actual human being acting in an actual human way.

      That human is going to react like this: He walks into his house and finds a stranger sitting in his living room. The stranger says, "look, I've taken nothing, this is how I did it, and now you can make your home safer." The human is going to to have hysterics, threaten the guy with the police and then eat a half gallon if ice cream in one sitting once the guy leaves.

      Yeah, maybe the cracker did a Good Thing in the abstract, but geez....

    2. Alan Brown Silver badge

      Re: No excuse to hack

      "it's worth contacting the associated entity and reporting it."

      In general what you get for your trouble is a mountain of threats and attempts to cover up the existence of the issue.

      Because messenger-shooting is an ancient and honourable response.

  10. Stevie Silver badge

    Bah!

    While not entirely happy about running the exploit to prove it works without authorization, I am flabbergasted that Starbucks would sic the Fraud Dog on the hacker.

    I have a method for evaluating actions I often espouse to my younger, more hotheaded peers. Ask "what's the best thing that could happen?" and phrase the answer as the negation of the worst thing you can think of happening.

    Which would possibly have the Starbucks Fraud Dog constructing the following exchange: "What's the best thing that could happen as a result of me threatening this idiot with fraud charges? The case does not become a public cause celebre, the public does not start staying away in droves as the newspapers pile in and the Starbucks brand does not take a damned good thrashing in the market as a result."

  11. Anonymous Coward
    Anonymous Coward

    A race condition, really?

    Isn't it like the FIRST thing we all learn when starting out with databases, the canonical bank transaction where money is moved into and out of the account? And the entire field of theory behind ACID transactions, developed specifically to avoid the nightmare scenario of an outsider being able to manufacture free money at the bank's expense?

    So the state of the account is effectively being passed around in a URL, instead of on the server-side? How many layers of enterprise software, databases, and file systems had to have their transaction mechanisms bypassed for something like this to happen? I mean you have to be working really hard to expose something like this all the way out to your public API.

    It is halfway through the year 2015, people - when is software going to move past the damn stone ages?

    Forget trying to develop encryption, how about we just keep software from shooting itself in the foot, for a start?

    1. Destroy All Monsters Silver badge

      Re: A race condition, really?

      I think studying transactions was moved off the curriculum at some point to make place for JavaScript hacking and social meedja.

      defeatist_gallic_shrug.jpg

      1. ecofeco Silver badge

        Re: A race condition, really?

        I think studying transactions was moved off the curriculum at some point to make place for JavaScript hacking and social meedja.

        Destroy All Monsters, I do believe you are right as well. Just look at the structure of your average website these days. Why the fuck is it so complicated? Talk about "unclear on the concept" and defeating the purpose!

        But I see this mindset in almost all endeavors these days, not just IT.

    2. ecofeco Silver badge

      Re: A race condition, really?

      "Forget trying to develop encryption, how about we just keep software from shooting itself in the foot, for a start?

      Well said AC. Unfortunately, it seems most software is getting WORSE every year. I can see no other reason other than it being deliberate. But why?

  12. ecofeco Silver badge

    Another day, another exploit

    ...but that sandwich in the picture looks DELICIOUS!

    1. Intractable Potsherd Silver badge

      Re: Another day, another exploit

      I was thinking exactly the opposite. Another extreme food-porn picture - too close, too clinical, too slimy. It removes more than it shows. I'll be glad when this fashion has gone.

      1. Michael Wojcik Silver badge

        Re: Another day, another exploit

        Another extreme food-porn picture - too close, too clinical, too slimy. It removes more than it shows.

        Agreed. It's like a close-up of a nose. Maybe that nose is part of an attractive face, but the photo sure isn't conveying it.

        Tho' I must admit food photography is generally lost on me anyway. Sometimes prose descriptions of food sound good, but photographs? Primary senses are not engaged. It's like listening to ballet on the radio.

  13. cdrcat

    Egor Homakov - I love seeing this guy operate

    Sure he doesn't follow the rules, but being able to see how to ignore rules is part of what makes him good!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021