“One misstep from builders at Starbucks left uncovered an API key that might be utilized by an attacker to entry inner techniques and manipulate the checklist of approved customers,” reviews Bleeping Pc:
Vulnerability hunter Vinoth Kumar reported the oversight on October 17 and shut to 3 weeks later Starbucks responded it demonstrated “vital info disclosure” and that it certified for a bug bounty… Together with figuring out the GitHub repository and specifying the file internet hosting the API key, Kumar additionally offered proof-of-concept (PoC) code demonstrating what an attacker may do with the important thing. Aside from itemizing techniques and customers, adversaries may additionally take management of the Amazon Internet Providers (AWS) account, execute instructions on techniques, and add or take away customers with entry to the inner techniques.
As soon as Starbucks was content material with the remediation steps taken, the corporate paid Kumar a $4,000 bounty for the disclosure, which is the utmost reward for crucial vulnerabilities. Most bounties from Starbucks are between $250-$375. The corporate solved 834 reviews since launching the bug bounty program in 2016, and 369 of them had been reported up to now three months. For them, Starbucks spent $40,000.
Learn extra of this story at Slashdot.