To Starbucks on HackerOne, a bug hunter has submitted a report defining an RCE vulnerability in one of its domains. He explained that an attacker leveraging this exploit can upload a malicious file to the website, and run an arbitrary code remotely. Starbucks has patched this bug and rewarded him with $5,600.
Starbucks RCE Bug Patched
A bug hunter named Kamil “ko2sec” Onur Özkaleli has reported a flaw in one of Singapore’s mobile domains, which was now patched. It relates to Starbucks Singapore’s website – mobile.starbucks.com.sg.
Ko2sec defined that he discovered a .ashx endpoint in the site, which is designated for handling the image files into the site. Since Starbucks didn’t restrict the file type uploads, attackers can use this flaw to upload any malicious files to the site and exploit it.
This, in this case, as the bug hunter described, can be used for executing an arbitrary code remotely! Also, he said to have found “additional endpoints on other out of scope domains that shared this vulnerability.” But for this bug, a severity score of 9.8/10 was given, with CVE yet to be issued.
He reported this vulnerability to Starbucks on HackerOne on December 5th and was resolved by December 9th, getting him a reward of $5,600. This isn’t the only bug he reported to Starbucks, but also an account takeover issue in October, which garnered him a $6,000 bounty.
Starbucks on HackerOne has received about 1068 bug reports to date and paid out more than $640,000 rewards for them. An average reward for valid reports ranged between $250 to $375, and for critical bugs, it’s $4000 to $6,000.