A possible remote code execution error (RCE) has been fixed in one of Starbucks's mobile domains.
The giant American coffee company is running a bounty bug program on HackerOne. A new vulnerability report by Kamil “ko2sec” Onur kzkaleli, first submitted on 5 November and published on 9 December, describes an RCE issue found on mobile.starbucks.com.sg, a platform for its users Singapore.
According to advisory, ko2sec discovered a .ashx endpoint at mobile.starbucks.com.sg intended for manipulating files image. However, the endpoint did not restrict uploads, which means that invaders they could do abuse of the problem and possibly upload malicious files and remotely execute the arbitrary code.
RCE is not the only Starbucks researcher reporting error. In October, Ko2sec described an "account takeover exploit" on the Starbucks Singapore site caused by open environments testing. It was possible to target users - if they knew their email - to see their personalities data and even use any amount loaded in their wallets accounts to carry out markets.
The bug hunter received $ 6.000 for this reference.
To date, Starbucks has received 1068 vulnerability reports in HackerOne. The average amount paid for valid submissions ranges from $ 250 to $ 375 while critical errors cost from $ 4000 to $ 6000. In total, the coffee chain has paid over $ 640.000 to bug hunters.