author photo
By Clare O’Gara
Thu | Aug 8, 2019 | 9:15 AM PDT

With $4,000, you could buy about a thousand Starbucks Frappuccinos.

An ethical hacker can do exactly that with his earnings from reporting a security bug to the coffee chain.

Will detect vulnerabilities for coffee

Spaceraccoon, a white hat hacker who reported the bug through HackerOne, noticed a critical vulnerability on the Starbucks enterprise database.

On HackerOne, Spaceraccoon detailed how they realized the vulnerability:

I first came across the endpoint via typical subdomain enumeration. On the surface, it looked like an extremely promising target: a simple HTML file upload form.

I began by testing for unrestricted file uploads with PHP shells and such, but it quickly became clear from the verbose error messages that while the files were being sent to the server, they were being processed as XML files and were not saved on the server.

@Spaceraccoonsec also posted a brief synopsis on what the SQL injection exposed in a tweet:

spaceracoon starbucks tweet

This goes to show: report bugs to Starbucks, and you'll earn some real bucks.