Starbucks


reports in last 90 days

75

disclosed resolved issues

1

disclosed informative issues

7

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

High Starbucks China Android app cloud storage service leaks a credential.

Information Disclosure k3mlol Time to triage: 85 Days and 9 hours


Time to close: 207 Days and 18 hours
Resolved

High [mena.starbucks.com] Laravel App Log & Configuration Disclosure.

Information Disclosure bobrov Time to triage: 0 Days and 2 hours


Time to close: 66 Days and 5 hours
Resolved

High Subdomain takeover of datacafe-cert.starbucks.com

Privilege Escalation parzel Time to triage: 0 Days and 6 hours


Time to close: 18 Days and 3 hours
Resolved

Critical SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database

SQL Injection spaceraccoon Time to triage: 1 Days and 7 hours


Time to close: 5 Days and 22 hours
Resolved

High Subdomain takeover of d02-1-ag.productioncontroller.starbucks.com

Privilege Escalation mindtrick Time to triage: 3 Days and 10 hours


Time to close: 5 Days and 23 hours
Resolved

Critical Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice

SQL Injection geek_jeremy Time to triage: 1 Days and 4 hours


Time to close: 24 Days and 17 hours
Resolved

High Blind SQL Injection on starbucks.com.gt and WAF Bypass :*

SQL Injection d3417_ Time to triage: 3 Days and 2 hours


Time to close: 20 Days and 2 hours
Resolved

High Time-based Blind SQLi on news.starbucks.com

SQL Injection toctou Time to triage: 10 Days and 17 hours


Time to close: 1 Days and 3 hours
Resolved

Medium Full Api Access and Run All Functions via Starbucks App

Improper Authentication - Generic ynsy Time to triage: 15 Days and 5 hours


Time to close: 24 Days and 4 hours
Resolved

Medium Backup Source Code Detected

None supplied linkks Time to triage: 1 Days and 1 hours


Time to close: 45 Days and 19 hours
Resolved

Medium Password Change not notified when changed from settings

Unverified Password Change karthik87mit Issue was not triaged


Time to close: 0 Days and 6 hours
Informative

Low Missing CSRF Token On Remove Coupun From Cart

Cross-Site Request Forgery (CSRF) apapedulimu Issue was not triaged


Time to close: 0 Days and 1 hours
Duplicate

High svcardproxydevus.starbucks.com Subdomain take over

Improper Access Control - Generic txt3rob Time to triage: 1 Days and 6 hours


Time to close: 3 Days and 4 hours
Resolved

Critical Subdomain takeover on svcgatewayus.starbucks.com

Privilege Escalation 0xpatrik Time to triage: 1 Days and 16 hours


Time to close: 84 Days and 5 hours
Resolved

High Subdomain takeover on wfmnarptpc.starbucks.com

Privilege Escalation 0xpatrik Time to triage: 0 Days and 23 hours


Time to close: 2 Days and 2 hours
Resolved

High SSRF at ideas.starbucks.com

Server-Side Request Forgery (SSRF) damian89 Time to triage: 2 Days and 5 hours


Time to close: 0 Days and 0 hours
Resolved

Low Open Redirection in Login - Korean Starbucks

Open Redirect jtjisgod Time to triage: 6 Days and 5 hours


Time to close: 27 Days and 11 hours
Resolved

Medium Stored XSS on www.starbucks.com.sg/careers/career-center/career-landing-*

Cross-site Scripting (XSS) - Stored 13ern Time to triage: 22 Days and 2 hours


Time to close: 1 Days and 22 hours
Resolved

Medium Reflected Cross site Scripting (XSS) on www.starbucks.com

Cross-site Scripting (XSS) - Reflected cujanovic Time to triage: 0 Days and 10 hours


Time to close: 111 Days and 18 hours
Resolved

High Bug in GraphQL and API integration leads to limited user address disclosure

Improper Access Control - Generic loxiran Time to triage: 2 Days and 7 hours


Time to close: 0 Days and 1 hours
Resolved

Medium Reflected XSS in https://www.starbucks.co.jp/store/search/

Cross-site Scripting (XSS) - Reflected wa1m3im Time to triage: 5 Days and 13 hours


Time to close: 13 Days and 20 hours
Resolved

Critical RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/

Code Injection spaceraccoon Time to triage: 0 Days and 6 hours


Time to close: 21 Days and 0 hours
Resolved

High Subdomain takeover of mydailydev.starbucks.com

Externally Controlled Reference to a Resource in Another Sphere 0xpatrik Issue was not triaged


Time to close: 2 Days and 0 hours
Resolved

Low PHPinfo page

Information Disclosure linkks Time to triage: 2 Days and 18 hours


Time to close: 0 Days and 22 hours
Resolved

Medium Information Exposure Through an Error Message at news.starbucks.com

Information Exposure Through an Error Message seytan6161 Issue was not triaged


Time to close: 0 Days and 13 hours
Not-applicable