[BreachExchange] SQL Injection Vulnerability Exposed Starbucks Financial Records

Destry Winant destry at riskbasedsecurity.com
Mon Aug 12 10:20:18 EDT 2019


A critical SQL injection vulnerability exposed nearly one million
financial records stored in a Starbucks enterprise database, a
researcher revealed this week.

Eugene Lim, aka spaceraccoon, earned $4,000 after reporting the flaw
to Starbucks via the company’s bug bounty program on HackerOne. The
security hole was identified on April 8 and it was patched within two
days. The vulnerability report he submitted to HackerOne was made
public on August 6.

It’s worth noting that $4,000 is the maximum amount of money Starbucks
pays for critical vulnerabilities through its bug bounty program. The
average bounty awarded by the coffee giant is $250 and the total
amount paid out so far exceeds $400,000.

According to Lim, he started by checking the targeted endpoint for
file upload vulnerabilities and then tested it for XXE flaws after
noticing that it had been running the Microsoft Dynamics AX enterprise
resource planning (ERP) platform.

After his attempts to launch XXE attacks failed, he decided to move on
to other potential targets. Roughly a month later, he decided to
revisit the endpoint and check for SQL injections, which he soon

“So I had an SQL injection - but what if the database was unused or
negligible? I decided to test for three things: the type of data in
the database, the amount of data, and the recency of data. However, I
quickly met a roadblock: as an enterprise database, Microsoft Dynamics
AX was massive: a quick check revealed that the database had thousands
of tables. I had to find and focus on the main table, but where should
I begin?” Lim wrote in his report to Starbucks.

He added, “Fortunately, Microsoft provides documentation online about
Dynamics AX. After a bit of research, I found the default main table
and the relevant columns. A few minutes later, the answers came in.
There were almost a million entries up till the previous year that
included real accounting information. Zaheck!! I immediately stopped
testing and wrote my report.”

The researcher said the database stored accounting and other financial
records, including tax, receipt and payroll data.

More information about the BreachExchange mailing list