Mohamed M. Fouad, an Information Security Consultant from SecureMisr, has discovered a critical flaw in Starbucks that allowed an attacker to steal users’ credit-cards and perform Remote Code Execution.
“I discovered a lot of critical security vulnerabilities at (Starbucks) that can lead to very harmful impact on all users by forcing them to change their passwords, add alternative emails or change anything in their store profile settings and steal users’ stored credit-cards. It can also perform phishing attack on users and remote code execution on Starbucks servers,” the Egyptian researcher said in a blog post.
According to the researcher, Remote File Inclusion Vulnerability occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution. It allowed me to able to perform:
         –  Code execution on the web server.
          – Code execution on the client-side such as JavaScript which can lead to other    attacks   such as cross site scripting (XSS).
         –  Data theft/manipulation via phishing attack to steal users accounts that contain Credit cards and payment orders information.
The researcher started his research a year ago when there was a Zero-Day for Starbucks about iOS Mobile Application and “Insecure Data Storage” vulnerability was detected.
While he was searching about Starbucks hacking news he found another vulnerability two months ago which allowed the attackers to steal Starbucks users gift cards and duplicate funds on Starbucks gift cards.
“I noticed 2 months ago that Starbucks joined bug bounty programs. So my passion lead me to take a look on Starbucks  looking for a vulnerabilities in Starbucks until I found two major vulnerabilities which allow an attacker to perform Remote Code Execution on Starbucks server also phishing attacks via Remote File Inclusion Vulnerability and another one it was critical also about CSRF store account take over by just one-click. Starbucks store account contains payment history,” he added.
However, Starbucks confirmed that it has fixed the vulnerabilities.