Hacker Informs Starbucks Of Gift Card Exploit; Starbucks Accuses Hacker Of Fraud And Maliciousness
from the hackaccino dept
In a period of a couple of weeks we have already seen some rather strange stories about companies failing to make the best use of free security advice and information, and instead going on the attack. Here we go again, I guess. What this latest example lacks in terrifying flight maneuvers or disgusting internet grossness, it makes up for in pure pettiness. This is the story about how Starbucks was informed by a hacker that he’d discovered and proof-tested an exploit on the company’s gift card systems that allowed people to load twice as much money on a card as they were supposed to.
Egor Homakov found a flaw that let him duplicate funds on a gift card, which he spent in a store to test his theory. Mr Homakov worked out that making two web browsers transfer money between the same cards, at the same time, sometimes duplicated the transfer and added funds to a gift card that had not been paid for. After buying some drinks and a sandwich in a store to test if the process had worked, Mr Homakov topped up the card to repay the $1.70 (£1.10) he owed to the company.
Pretty solid, honest move, especially given that Homakov then informed Starbucks of the issue after reloading his card so as not to be costing the company even the meager couple-o-dollars it took to test his theory out in practice. As far as altruistic hackers, Homakov’s story is about as good as it gets. So of course Starbucks went on the attack.
He told Starbucks so they could fix the flaw, but said that the company had then called his actions “malicious”.
“The unpleasant part is a guy from Starbucks calling me with nothing like “thanks” but mentioning “fraud” and “malicious actions” instead,” he wrote.
A spokeswoman for Starbucks told BBC News: “After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication.”
I have to say, even when most of these stories leave me thinking that the attacking companies would be better off taking the free security advice of people like Homakov, I can at least stretch myself to understand why they might let emotions get in the way of logical behavior. Maybe, like with airflight exploits, the danger is so great that the company just wants everyone to shut up while it gets its house in order. Or maybe, like when goatse ends up on your billboards, embarrassment takes over. But Starbucks’ actions are without explanation. Far from going on the attack, the coffee company should be praising and thanking Homakov and it should be counting itself lucky that the exploit was discovered by such a benevolent force rather than one with more mischievous intentions.
Hell, many companies pay for this kind of information. Resting on the fact that the hacker tested his theory before bringing the information to the company as an excuse to throw around legal threats is stupid. Maybe they need to put down the latte to calm the jitters or something.
Filed Under: egor homakov, hacking, responsible disclosure
Companies: starbucks
Comments on “Hacker Informs Starbucks Of Gift Card Exploit; Starbucks Accuses Hacker Of Fraud And Maliciousness”
“He told Starbucks so they could fix the flaw, but said that the company had then called his actions “malicious”.”
See, this is why when you find an exploit in a system, you sell it to the highest bidder. 1) Profit! and 2) You won’t get in trouble from the business you would otherwise inform so they can fix it.
It’s obviously bad to inform companies of their lack of security.
Re: Re:
Oopps, forgot the obligatory /sarc
Re: Re: Re:
I really do not think it was needed.
Re: Re: Re:
Your comment is perfectly reasonable even without a /sarc tag.
Re: Re:
Who knows maybe you can sell it to someone willing to be the messenger.
Re: Re:
It’s obviously bad to inform companies of their lack of security.
What always bothers me most about this is the belief, on the part of the company, that they are the smartest people in the room, and that nobody will ever be smarter than them about their own processes, procedures, devices, etc.. Then someone comes along and smashes their belief, and they immediately assume that that is the only person on the planet that managed to figure it out.
If someone thought it up, then it is a pretty good bet that someone else has thought it up before, is currently thinking about it, or will shortly be thinking about it. There are 6+ billion people on the planet, and it is a pretty safe bet that more than one person knows about a security flaw.
Hence the reason for open disclosure of flaws in the first place…let everyone know right now that the cat is out of the bag so there is no possibility that “I didn’t know” can trump bad security practices and people hurt by not knowing that the companies they are providing data to are being so promiscuous with it (something I automatically assume now.)
it’s about time people stopped doing the right thing and informing companies of exploits that could cost the companies a great deal of money and just let it all happen! it’s getting worse than the bloody government, and that is saying something! whatever happened to gratitude, for Christ’s sake? i suppose it will be the world’s fault next time it happens and the company will expect the whole of it (world) to be locked up!
do these companies ever go after the software developer who wrote the program? that is the direction to aim the disenchantment, not at the revealer!!
Re: Re:
Yup. “Sir, do you know there’s thirty billion dollars stored on your Starbucks card?”
Let them figure it out. No, not my problem.
Last Saturday's Slashdot post....
I think people are having a difficult time differentiating between two actions that have taken place here: 1) security research that discovered a hole and 2) unauthorized abuse of that hole to prove a point and demonstrate the severity of the flaw.
Starbucks is hostile to the second, not the first. If he’d stopped at discovering the flaw and bringing it to their attention, I doubt they’d be hostile.
If you parked your car and someone noticed the door was unlocked and the keys were in the ignition and came and told you, that’d be under 1) — if instead, they got in, drove your car up to the door of your building and honked the horn to get your attention, that’s under 2). And that’s exactly what he did.
Looks like we also need a security researcher wall of shame that lists “researchers” who go beyond the research and commit federal crimes to demonstrate what the flaw allows them to do.
Any time you’re inside a network you’re not supposed to have access to, you’ve crossed the “hacker” line from “white” to “grey”. If you don’t immediately back out and report, you’ve slid all the way to “black”.
Re: Last Saturday's Slashdot post....
Um, he went thru with it to confirm his hypothesis. Minimal amount. He could have kept quiet about it and nobody except whatever black hat stumbled upon it next, would exploit over and over, etc.
But you say he went too far?!
Wow.
You’re the reason to encourage a researcher like him not speak out.
Re: Re: Last Saturday's Slashdot post....
If you’ve got any technical prowess, you can find the flaw and test the theoretical problem without actually committing a crime. If you decide to test a store’s security system by taking a chocolate bar from the checkout counter, it doesn’t matter that it was only a small thing you took, you still took it.
He could have kept quiet about it, or he could have let them know. Instead, he decided to abuse the flaw to present them with a fait d’accompli. This definitely got their attention, but not in a good way.
I’m the reason to encourage a FELLOW researcher like him to follow protocol; otherwise he gives the rest of us a bad name, and makes it more difficult for us to speak out when we haven’t actually done anything wrong.
His legal options at the start were:
1) Contact Starbucks and ask them if he can do some pro bono pen testing for them
2) Contact Starbucks and let them know about the flaw in their system, and ask for permission to see how far it went
3) Test the flaw and then go public with the theoretical bug as well as the tested flaw. Not the best way forward, but still legal.
Instead, he chose to cross the line, even if there wasn’t any malfeasance attached, and even if he immediately paid back the cost of the goods he got.
Re: Re: Re: Last Saturday's Slashdot post....
You can make up all the analogies you want till your butt hurts. His browser might have showed him the total, but we don’t see the results.
So he has a card that might or might not have the duplicated amount.
How do you prove if your work did the trick?
Re: Re: Re: Last Saturday's Slashdot post....
Actually you are wrong on that. Working with a lot of equipment, you always need to test the flaw because it could just be that the system didn’t report the information correctly.
It may have appears he added money to his account but in actuality, it only reported that the money was added and wasn’t actually added.
Also, if history is any example, Starbucks would have just ignored the email unless it was a worked and not just a possibility.
Re: Re: Re: Last Saturday's Slashdot post....
Being extremely thirsty one day, I went to my local shop and took a bottle of Mountain Dew, then opened it and drank from it. I had the entire bottle finished by the time I paid. I suppose in your eyes that I committed a crime just like Egor Homakov because I consumed a product and only yhen paid for it. You’d best not eat at any restaurants if that’s your thinking; they operate that way all the time.
Re: Last Saturday's Slashdot post....
No, what happened was 1) Security research that theoretically discovered a hole, and 2) Security research that confirmed the existence of a hole.
Right up until he actually tested it in store, he didn’t have any confirmation that the exploit actually worked. For all he knew, there were extra checks implemented when actually using the card to buy something that would have caught the error. Meaning instead of a full blown exploit, their gift card balance checking was just buggy. Testing it with a trivial amount of money confirmed that there was indeed a serious problem that did not stop at the balance checking.
Re: Re: Last Saturday's Slashdot post....
Testing it with a trivial amount of money was still wrong. Instead, he should have handed the card over to someone at Starbucks, and asked THEM to test the card, with him not receiving goods in exchange. He could do this while explaining what he had done to put the card into that state.
You can’t just go around exploiting flaws in people’s systems just to verify the flaw, no matter how you rationalize it, unless you have permission. It’s not like free speech, it’s not just an academic exercise; there’s a line that gets crossed, and no matter how you try to explain it away, that line is still there.
Did Starbucks do the right thing in resposne? No, not really. But two wrongs don’t make a right.
Re: Re: Re: Last Saturday's Slashdot post....
So what happens if it was a flaw in how the browser showed his balance? Then he goes and says I found an exploit you need to patch, and if Starbucks listens, they waste time trying to replicate a problem that doesn’t exist!
The time it takes to search for an exploit like this is far more valuable than $1.70 to verify it (especially when it’s refunded). Heck in the tech world anymore you can’t have a phone conversation for $1.70. If I was at work I’d have spend $1.70 typing this one sentence at the rates we charge….
Re: Re: Re:2 Last Saturday's Slashdot post....
You’re obviously a manager, not a geek.
All it would take is one of your people trying what he reported he did using what he said he used. Can they do it too? This’s pretty basic science. Can you replicate the reported flaw, as the flaw was reported to work? If not, you’re done. You needn’t even say thank you.
This shouldn’t take much time out of your precious day, especially if it might cost your bosses [mb]illions.
Instead, he’s treated like a thief and lawyers are sicced on him? Bad form.
Re: Re: Re: Last Saturday's Slashdot post....
He tested it with a trivial amount of money that he immediately paid back. So no, it wasn’t wrong since he caused no damage and stole nothing.
Re: Re: Re:2 Last Saturday's Slashdot post....
pointless to try and reason with people like that.
All laws must be followed except when its those making the laws and enforcing them breaking them, they are an exception.
It’s stupid hero worship. Until they are affected personally then they will side with what they violently opposed prior.
Re: Re: Re: Last Saturday's Slashdot post....
Mr Big Note AC who by your statements indicates that you are a bona fide security researcher. Prove you are and that you actually know what you are talking about, because from your statements you actually don’t know right from wrong, let alone how to test anything let alone a security problem.
Give a name to yourself and your background and let us judge your integrity and honesty.
Re: Last Saturday's Slashdot post....
No, there’s two different sorts of people interacting with the problem. One, the good samaritan, and two, the business idiot who can’t think farther than the daily receipts, and doesn’t want to, and doesn’t think they need to.
He should’ve just taken them for all they’re worth after documenting the problem and sending a report to contact@blah…
Idiots.
Re: Last Saturday's Slashdot post....
No good deed will go unpunished!
Re: Last Saturday's Slashdot post....
He spent a whole $1 and some change (which he immediately paid back) to see if it was really registering both transactions onto the card. That hardly falls into malicious behavior.
Re: Re: Last Saturday's Slashdot post....
He might have only spent a dollar, that he paid back, but corporate legal counsel isn’t cheap, and Starbucks probably feels that they were “forced” to drop probably a couple thousand on legal fees as they consulted their attorneys…
Talk about an asymetric threat….
In related news Starbucks is canceling its controversial #raceconditiontogether promotion due to the ire it drew from the computer science community regarding the discussion of exploits.
How many times does it need to be shown...
Never privately inform a company of an exploit you found, unless they have, through past actions, made it clear that they welcome people who do so.
Post the exploit publicly, such that they have no choice but to fix it, but do it anonymously. Telling them first is just asking for a whole heap of trouble as they try and silence the source of embarrassment through lawsuits and legal threats.
Yes, this may suck for the company in question, as they have no chance to patch things up before everyone knows about it, but at this point it’s beyond clear that trying to be ‘nice’ does nothing but put a huge target on your head.
I don’t expect large businesses to understand what selflessness is. It’s pretty easy to see why they would react in such a way when the concept of selflessness is foreign.
Companies like Starbucks DESERVE to be hacked
Part of this story — you read the whole thing — is that Starbucks made it quite impossible for him to contact their security team. That’s stupid. It’s an invitation to pain.
Why? Because we’ve had a standard way to report security issues FOR 18 YEARS.
It’s right here: MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS in section 4:
4. NETWORK OPERATIONS MAILBOX NAMES
Operations addresses are intended to provide recourse for customers,
providers and others who are experiencing difficulties with the
organization’s Internet service.
MAILBOX AREA USAGE
———– —————- —————————
ABUSE Customer Relations Inappropriate public behaviour
NOC Network Operations Network infrastructure
SECURITY Network Security Security bulletins or queries
Setting up these addresses — and everyone should have “abuse” and “security”, with “noc” used as appropriate — is trivially easy. Arranging for traffic sent to them to be forwarded to the appropriate people is equally easy. The entire process should take less than 5 minutes and there is absolutely no valid excuse for failing to do so.
Starbucks didn’t do that. Neither abuse@ or security@ works — even today, after it’s been publicly pointed out that they’ve made themselves unreachable. So their insipid whining about how this is “fraud” is really just a coverup for their own negligence and incompetence.
Re: Companies like Starbucks DESERVE to be hacked
All of those administration addresses have long been spammed to hell and back, so have been ignored or disabled for years. Your modern IT twit tends to think two or three spam showing up in email per day is an attack, at best, so such accounts are no longer monitored if even enabled. Try Twitter or Facebook instead. That’s their public interface. Managed by the marketing dept. of course, not the techs who could actually fix something if it’s broken.
Re: Re: Companies like Starbucks DESERVE to be hacked
Anyone who can’t handle the spam that will arrive at those accounts appropriately is MUCH too stupid to be running an operation of any kind, let alone a huge corporate one like Starbucks. This is a trivial problem to solve for anyone with minimal email expertise. There is thus absolutely no valid excuse for failure to have this working. That’s why it’s in an RFC and that’s why every responsible, competent, professional operation does it.
And it’s beyond idiotic to suggest that anyone should have to sign up for a third-party service like Twitter or Facebook in order to contact a company. Really, anyone pushing that approach should be removed from the Internet and blacklisted for life.
Re: Re: Re: Companies like Starbucks DESERVE to be hacked
Anyone who can’t handle the spam that will arrive at those accounts appropriately is MUCH too stupid to be running an operation of any kind, let alone a huge corporate one like Starbucks.
Given their response to this issue, I believe the answer is “Yes.” They are MUCH too stupid to be running an operation of any kind.
Contact the approptiate authority
After discovery, but by never “testing” the discovery by breaking in, Starbucks would have been notified of the problem and given them 45 days to fix it or the fault would have been mad public. If Starbucks security certificate were removed, they would have been in a lot of trouble. Not sure if CERT is the appropriate authority.
Re: Contact the approptiate authority
“Simple”, “Obvious” solutions like this tend not to be viable in the real world.
Consider: You’re proposing the creation of a viable and effective centralized repository of corporate vulnerabilities.
No matter how many pledges, agreements, treaties, or whatnot were implemented to the contrary such an organization would be an irresistible target for Nation States, Spies (corporate & other), and other malicious actors, and while hacking of the repository would be an issue, so would the blackmail, coercion, and bribery of it’s employees.
Such an organization would be compromised before it was even operational.
A gentleman knowing that waitresses at bars have a problem keeping their tab straight when asked by two people at the same time, a customer does this intentionally to a waitress. When she makes a mistake, he corrects for the difference and explains the issue to a manager so all the waitresses can receive instructions to not let this happen. He then gets insulted by the manager and accused of stealing money from the register for this information.
Yep… the gentleman is the asshole there…. /s
When are morons going to get the hint? Every time someone discovered an exploit and informed the company of the exploit, they have always acted negatively toward the information.
If I discovered an exploit, knowing full well how honest people are being treated for informing them of the exploit, I would post the exploit on every website I came across, showing people how to exploit the glitch.
While I have never honestly exploited anything, I sure as hell would not inform the company of the exploit.
Re: Re:
As more and more examples of people being threatened instead of thanked for trying to be helpful come up, that’s exactly what’s going to happen, and the companies will have no-one to blame but themselves.
If trying to be ‘polite’ and privately informing a company of a security or other flaw is going to get you sued or harassed, then people are going to stop doing so. Instaed, those finding such flaws will either ignore them, report them publicly, or exploit them, and none of these are good outcomes from the company’s perspective.
In their rush to punish the messenger and protect their ‘image’, companies are setting themselves up for much worse things down the road.
I don't understand what you don't understand
C’mon. Emotions? Companies? Go to Category Error, do not pass Go,
do not collect $200.
How about this? You and I are moo-cow peons, and the suits in charge
are rent-seeking freeloaders accustomed to unlimited entitlement.
There is one way, and one way alone, for a moo-cow peon to interact
properly with their companies: by being exploited.
Offer free and useful advice? Be sneered at. Isn’t it cute, this
moo-cow thinks it’s people!
Actually demonstrate the utility of that advice? Abomination!
Death to the mutant moo-cow!
Obscure security defense
How dare you un-obscure our flawless security?!
Just one more great reason...
to avoid Starbucks…assholes like this don’t deserve our business!
Kill the White Hat Hackers! (Then who is left?)
I have several empty Starbucks gift cards registered to my account and one with plenty of money on it. So, if this works I will never pay for coffee again. OR Starbucks could support the White Hat community where I have lived and breathed for years. The next White Hat Hacker who isn’t already on the consulting payroll (Hey, I’m sometimes available for $US 500 an hour.), will s/he know to keep the exploit to herself or himself or will s/he reveal it anonymously throughout the universe?