Hacker Informs Starbucks Of Gift Card Exploit; Starbucks Accuses Hacker Of Fraud And Maliciousness
from the hackaccino dept
In a period of a couple of weeks we have already seen some rather strange stories about companies failing to make the best use of free security advice and information, and instead going on the attack. Here we go again, I guess. What this latest example lacks in terrifying flight maneuvers or disgusting internet grossness, it makes up for in pure pettiness. This is the story about how Starbucks was informed by a hacker that he'd discovered and proof-tested an exploit on the company's gift card systems that allowed people to load twice as much money on a card as they were supposed to.
Egor Homakov found a flaw that let him duplicate funds on a gift card, which he spent in a store to test his theory. Mr Homakov worked out that making two web browsers transfer money between the same cards, at the same time, sometimes duplicated the transfer and added funds to a gift card that had not been paid for. After buying some drinks and a sandwich in a store to test if the process had worked, Mr Homakov topped up the card to repay the $1.70 (£1.10) he owed to the company.Pretty solid, honest move, especially given that Homakov then informed Starbucks of the issue after reloading his card so as not to be costing the company even the meager couple-o-dollars it took to test his theory out in practice. As far as altruistic hackers, Homakov's story is about as good as it gets. So of course Starbucks went on the attack.
He told Starbucks so they could fix the flaw, but said that the company had then called his actions "malicious".I have to say, even when most of these stories leave me thinking that the attacking companies would be better off taking the free security advice of people like Homakov, I can at least stretch myself to understand why they might let emotions get in the way of logical behavior. Maybe, like with airflight exploits, the danger is so great that the company just wants everyone to shut up while it gets its house in order. Or maybe, like when goatse ends up on your billboards, embarrassment takes over. But Starbucks' actions are without explanation. Far from going on the attack, the coffee company should be praising and thanking Homakov and it should be counting itself lucky that the exploit was discovered by such a benevolent force rather than one with more mischievous intentions.
"The unpleasant part is a guy from Starbucks calling me with nothing like "thanks" but mentioning "fraud" and "malicious actions" instead," he wrote.
A spokeswoman for Starbucks told BBC News: "After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication."
Hell, many companies pay for this kind of information. Resting on the fact that the hacker tested his theory before bringing the information to the company as an excuse to throw around legal threats is stupid. Maybe they need to put down the latte to calm the jitters or something.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: egor homakov, hacking, responsible disclosure
Companies: starbucks
Reader Comments
Subscribe: RSS
View by: Time | Thread
See, this is why when you find an exploit in a system, you sell it to the highest bidder. 1) Profit! and 2) You won't get in trouble from the business you would otherwise inform so they can fix it.
It's obviously bad to inform companies of their lack of security.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
do these companies ever go after the software developer who wrote the program? that is the direction to aim the disenchantment, not at the revealer!!
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Last Saturday's Slashdot post....
Starbucks is hostile to the second, not the first. If he'd stopped at discovering the flaw and bringing it to their attention, I doubt they'd be hostile.
If you parked your car and someone noticed the door was unlocked and the keys were in the ignition and came and told you, that'd be under 1) -- if instead, they got in, drove your car up to the door of your building and honked the horn to get your attention, that's under 2). And that's exactly what he did.
Looks like we also need a security researcher wall of shame that lists "researchers" who go beyond the research and commit federal crimes to demonstrate what the flaw allows them to do.
Any time you're inside a network you're not supposed to have access to, you've crossed the "hacker" line from "white" to "grey". If you don't immediately back out and report, you've slid all the way to "black".
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Last Saturday's Slashdot post....
But you say he went too far?!
Wow.
You're the reason to encourage a researcher like him not speak out.
[ link to this | view in thread ]
Re: Last Saturday's Slashdot post....
Right up until he actually tested it in store, he didn't have any confirmation that the exploit actually worked. For all he knew, there were extra checks implemented when actually using the card to buy something that would have caught the error. Meaning instead of a full blown exploit, their gift card balance checking was just buggy. Testing it with a trivial amount of money confirmed that there was indeed a serious problem that did not stop at the balance checking.
[ link to this | view in thread ]
Re: Re: Last Saturday's Slashdot post....
He could have kept quiet about it, or he could have let them know. Instead, he decided to abuse the flaw to present them with a fait d'accompli. This definitely got their attention, but not in a good way.
I'm the reason to encourage a FELLOW researcher like him to follow protocol; otherwise he gives the rest of us a bad name, and makes it more difficult for us to speak out when we haven't actually done anything wrong.
His legal options at the start were:
1) Contact Starbucks and ask them if he can do some pro bono pen testing for them
2) Contact Starbucks and let them know about the flaw in their system, and ask for permission to see how far it went
3) Test the flaw and then go public with the theoretical bug as well as the tested flaw. Not the best way forward, but still legal.
Instead, he chose to cross the line, even if there wasn't any malfeasance attached, and even if he immediately paid back the cost of the goods he got.
[ link to this | view in thread ]
Re: Re: Last Saturday's Slashdot post....
You can't just go around exploiting flaws in people's systems just to verify the flaw, no matter how you rationalize it, unless you have permission. It's not like free speech, it's not just an academic exercise; there's a line that gets crossed, and no matter how you try to explain it away, that line is still there.
Did Starbucks do the right thing in resposne? No, not really. But two wrongs don't make a right.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
How many times does it need to be shown...
Post the exploit publicly, such that they have no choice but to fix it, but do it anonymously. Telling them first is just asking for a whole heap of trouble as they try and silence the source of embarrassment through lawsuits and legal threats.
Yes, this may suck for the company in question, as they have no chance to patch things up before everyone knows about it, but at this point it's beyond clear that trying to be 'nice' does nothing but put a huge target on your head.
[ link to this | view in thread ]
Re: Re: Re: Last Saturday's Slashdot post....
So he has a card that might or might not have the duplicated amount.
How do you prove if your work did the trick?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Last Saturday's Slashdot post....
It may have appears he added money to his account but in actuality, it only reported that the money was added and wasn't actually added.
Also, if history is any example, Starbucks would have just ignored the email unless it was a worked and not just a possibility.
[ link to this | view in thread ]
Companies like Starbucks DESERVE to be hacked
Why? Because we've had a standard way to report security issues FOR 18 YEARS.
It's right here: MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS in section 4:
4. NETWORK OPERATIONS MAILBOX NAMES
Operations addresses are intended to provide recourse for customers,
providers and others who are experiencing difficulties with the
organization's Internet service.
MAILBOX AREA USAGE
----------- ---------------- ---------------------------
ABUSE Customer Relations Inappropriate public behaviour
NOC Network Operations Network infrastructure
SECURITY Network Security Security bulletins or queries
Setting up these addresses -- and everyone should have "abuse" and "security", with "noc" used as appropriate -- is trivially easy. Arranging for traffic sent to them to be forwarded to the appropriate people is equally easy. The entire process should take less than 5 minutes and there is absolutely no valid excuse for failing to do so.
Starbucks didn't do that. Neither abuse@ or security@ works -- even today, after it's been publicly pointed out that they've made themselves unreachable. So their insipid whining about how this is "fraud" is really just a coverup for their own negligence and incompetence.
[ link to this | view in thread ]
Contact the approptiate authority
[ link to this | view in thread ]
Yep... the gentleman is the asshole there.... /s
[ link to this | view in thread ]
Re: Re: Re: Last Saturday's Slashdot post....
The time it takes to search for an exploit like this is far more valuable than $1.70 to verify it (especially when it's refunded). Heck in the tech world anymore you can't have a phone conversation for $1.70. If I was at work I'd have spend $1.70 typing this one sentence at the rates we charge....
[ link to this | view in thread ]
Re: Re: Re: Last Saturday's Slashdot post....
[ link to this | view in thread ]
If I discovered an exploit, knowing full well how honest people are being treated for informing them of the exploit, I would post the exploit on every website I came across, showing people how to exploit the glitch.
While I have never honestly exploited anything, I sure as hell would not inform the company of the exploit.
[ link to this | view in thread ]
Re:
Yup. "Sir, do you know there's thirty billion dollars stored on your Starbucks card?"
Let them figure it out. No, not my problem.
[ link to this | view in thread ]
Re: Last Saturday's Slashdot post....
No, there's two different sorts of people interacting with the problem. One, the good samaritan, and two, the business idiot who can't think farther than the daily receipts, and doesn't want to, and doesn't think they need to.
He should've just taken them for all they're worth after documenting the problem and sending a report to contact@blah...
Idiots.
[ link to this | view in thread ]
Re:
If trying to be 'polite' and privately informing a company of a security or other flaw is going to get you sued or harassed, then people are going to stop doing so. Instaed, those finding such flaws will either ignore them, report them publicly, or exploit them, and none of these are good outcomes from the company's perspective.
In their rush to punish the messenger and protect their 'image', companies are setting themselves up for much worse things down the road.
[ link to this | view in thread ]
Re: Companies like Starbucks DESERVE to be hacked
[ link to this | view in thread ]
Re: Re: Re: Last Saturday's Slashdot post....
Give a name to yourself and your background and let us judge your integrity and honesty.
[ link to this | view in thread ]
Re: Re: Re: Re: Last Saturday's Slashdot post....
All it would take is one of your people trying what he reported he did using what he said he used. Can they do it too? This's pretty basic science. Can you replicate the reported flaw, as the flaw was reported to work? If not, you're done. You needn't even say thank you.
This shouldn't take much time out of your precious day, especially if it might cost your bosses [mb]illions.
Instead, he's treated like a thief and lawyers are sicced on him? Bad form.
[ link to this | view in thread ]
I don't understand what you don't understand
C'mon. Emotions? Companies? Go to Category Error, do not pass Go,
do not collect $200.
How about this? You and I are moo-cow peons, and the suits in charge
are rent-seeking freeloaders accustomed to unlimited entitlement.
There is one way, and one way alone, for a moo-cow peon to interact
properly with their companies: by being exploited.
Offer free and useful advice? Be sneered at. Isn't it cute, this
moo-cow thinks it's people!
Actually demonstrate the utility of that advice? Abomination!
Death to the mutant moo-cow!
[ link to this | view in thread ]
Obscure security defense
[ link to this | view in thread ]
Re: Re: Companies like Starbucks DESERVE to be hacked
And it's beyond idiotic to suggest that anyone should have to sign up for a third-party service like Twitter or Facebook in order to contact a company. Really, anyone pushing that approach should be removed from the Internet and blacklisted for life.
[ link to this | view in thread ]
Re: Re: Re: Re: Last Saturday's Slashdot post....
All laws must be followed except when its those making the laws and enforcing them breaking them, they are an exception.
It's stupid hero worship. Until they are affected personally then they will side with what they violently opposed prior.
[ link to this | view in thread ]
Just one more great reason...
[ link to this | view in thread ]
Re: Last Saturday's Slashdot post....
[ link to this | view in thread ]
Kill the White Hat Hackers! (Then who is left?)
[ link to this | view in thread ]
Re: Contact the approptiate authority
Consider: You're proposing the creation of a viable and effective centralized repository of corporate vulnerabilities.
No matter how many pledges, agreements, treaties, or whatnot were implemented to the contrary such an organization would be an irresistible target for Nation States, Spies (corporate & other), and other malicious actors, and while hacking of the repository would be an issue, so would the blackmail, coercion, and bribery of it's employees.
Such an organization would be compromised before it was even operational.
[ link to this | view in thread ]
Re: Last Saturday's Slashdot post....
[ link to this | view in thread ]
Re: Re: Last Saturday's Slashdot post....
Talk about an asymetric threat....
[ link to this | view in thread ]
Re: Re: Re: Companies like Starbucks DESERVE to be hacked
Given their response to this issue, I believe the answer is "Yes." They are MUCH too stupid to be running an operation of any kind.
[ link to this | view in thread ]
Re:
What always bothers me most about this is the belief, on the part of the company, that they are the smartest people in the room, and that nobody will ever be smarter than them about their own processes, procedures, devices, etc.. Then someone comes along and smashes their belief, and they immediately assume that that is the only person on the planet that managed to figure it out.
If someone thought it up, then it is a pretty good bet that someone else has thought it up before, is currently thinking about it, or will shortly be thinking about it. There are 6+ billion people on the planet, and it is a pretty safe bet that more than one person knows about a security flaw.
Hence the reason for open disclosure of flaws in the first place...let everyone know right now that the cat is out of the bag so there is no possibility that "I didn't know" can trump bad security practices and people hurt by not knowing that the companies they are providing data to are being so promiscuous with it (something I automatically assume now.)
[ link to this | view in thread ]
Re: Re: Re: Last Saturday's Slashdot post....
[ link to this | view in thread ]