Starbucks Critical Flaws Allow Hackers To Phishing & Steal User's Credit-cards and Perform Remote Code Execution Today i will show you how I discovered a lot of critical security vulnerabilities at (Starbucks) it can lead to very harmful impact on all users by force users change their passwords , add alternative emails or change anything in their store profile settings and steal users stored credit-cards. also can perform phishing attack on users and remote code execution on Starbucks servers. Story: One year ago there was a Zero-Day for Starbucks about iOS Mobile Application and it was "Insecure Data Storage" vulnerability. So when i was searching about Starbucks hacking news i found that two months ago there was another vulnerability which allows attackers to steal Starbucks users gift cards and duplicate funds on Starbucks gift cards. So i noticed 2 months ago that Starbucks joined bug bounty programs. So my passion lead me to take a look on Starbucks looking for a vulnerabilities in Starbucks until i found two major critical vulnerabilities which allows an attacker to perform Remote Code Execution on Starbucks server also phishing attacks via Remote File Inclusion Vulnerability and another one it was critical also about CSRF store account take over by just one-click. Starbucks store account contains payment history. News URLs : http://www.bbc.co.uk/news/technology-32844123 http://www.cnbc.com/2015/05/13/hackers-target-starbucks-gift-cardholders.html Vulnerabilities: Remote File Inclusion Vulnerability: which occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution. it allowed me to able to perform: Code execution on the web server. Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS). Data theft/manipulation via phishing attack to steal users accounts that contain Credit cards and payment orders information. Vulnerable URL : http://quality.starbucks.com/admin/api/outside/proxy?url= m3535wewe ;$ ------------------------------------------------------------------------------------------------ Full article: http://mohamedmfouad.blogspot.com.eg/2015/09/starbucks-critical-flaws-allow-hackers.html?view=classic