A computer security researcher says he recently found a way to hack Starbucks’ gift card system and add value to a gift card essentially for free. Starbucks has not yet responded to my questions about the attack, but the researcher says the bug he exploited has been fixed.
Computer security consultant Egor Homakov, who conducts penetration tests under the brand name Sakurity.com, said on his website he was able to turn $15 worth of Starbucks cards into $20 during a proof of concept experiment. That kind of value creation is the holy grail for criminals who attack money systems, with the implied potential of creating infinite value out of thin air. Practically speaking, that’s not possible, but you can imagine the value of such a hack to a computer criminal with evil intentions. Fortunately, theft wasn’t Homakov’s motivation. (Unlike the credit card criminals I wrote about recently who target Starbucks accounts with linked credit or debit cards. )
Homakov says he was able to exploit a common bug knows as “race conditions” to trick Starbucks system into letting him transfer the same $5 in value onto a second card twice, leaving him with a $15 card and a $5 card. He did it by initiating transfers from separate web browsers at essentially the same time, confusing Starbucks’ systems.
Race condition attacks rely on a failure of computers to properly handle instructions that occur in very close time sequence. If instructions are not handled in the right order, serious problems can occur. For example: if funds are credited to a new account before they are deleted from an old account, it can be possible to transfer the same funds twice.
Homakov, who is from Russia but is now based in San Francisco, then purchased several items from Starbucks to prove his technique worked.
“$15 in, $16.70 out. The concept is proven and now let’s deposit $10 from our credit card to make sure the US justice system will not put us in jail over $1.70,” he wrote on his blog.
Then he set about trying to “responsibly” disclose the problem to Starbucks. Homakov found dealing with the firm challenging, however. It took weeks to get the company’s attention, and when he did, he did not receive the kind of gratitude that security researchers often get when they point out technical flaws for free.
“Support guy honestly answered there’s absolutely no way to get in touch with technical department and he’s sorry I feel this way,” he wrote. “Emailing InformationSecurityServices@starbucks.com on March 23 was futile (and it only was answered on Apr 29). After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days. The unpleasant part is a guy from Starbucks calling me with nothing like ‘thanks’ but mentioning “fraud” and “malicious actions” instead.”
In a email brief interview with me, Homakov described his interactions with Starbucks.
“E-mails from them are usually ‘call me.’ It was a phone call where that guy mentioned ‘fraud word. It wasn’t a threat, I guess, but it was definitely unexpected and unpleasant,” he said.
(Homakov also explained to me that he rounded out the values in his explanation on his website; he was actually able to create a roughly $7 “double spend,” leaving him with cards equaling $22.40 in value. He changed the numbers to simplify the explanation.)
The rapid success of Starbucks mobile pay and gift card system has helped make it a target, as my recent report on credit card hackers and their successful attacks showed. And last year, a researcher discovered that the Starbucks app was storing passwords in plain text.
While Starbucks did not answer my questions about the hack, it issued a statement to the BBC.
“After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication,” the firm said, according to the BBC.
It’s important to note that Starbucks said last year that it didn’t know of a single customer who had been a victim of the password issue; and we don’t know of anyone who’s been victimized by this value creation attack. The risk to consumers here is probably very, very low. The news does suggest Starbucks is struggling with security issues and growing pains as it creates what might be considered an alternative money system. The massive point of sale outage last month — which led to Starbucks handing out free coffees around the country for several hours — also paints a picture of a firm struggling with technical issues.
The real risk for consumers, however, comes from trusting Starbucks with your credit or debit card. Those who link their payment accounts to their Starbucks app — a behavior Starbucks encourages with rewards and free drinks — should realize their bank accounts are now only protected by their Starbucks username and passwords. And by Starbucks security.