Remote code execution vulnerability uncovered in Starbucks mobile platform
Cybersecurity researcher Kahmil “ko2sec” has discovered a remote code execution (RCE) bug in US coffee giant Starbuck’s mobile domains. Starbucks is one of many companies that run a bug bounty platform on HackerOne and allow ethical hackers to cash out on vulnerability detection. According to Khamil, he discovered an .ashx endpoint on a mobile domain owned and operated by Starbucks, creating suspicion.
Khamil later found that the endpoint did not restrict file type uploads, meaning that attackers could potentially upload malicious files or remotely execute code. The full bounty report has been restricted by Starbucks, which has since patched the flaw, but Khamil’s report allegedly revealed more endpoints other than the ones described in the brief. Although the bug has not yet received a CVE, it has a severity score of 9.8 out of 10.