Starbucks Devs Leave API Key in GitHub Public Repo

"One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users," reports Bleeping Computer: Vulnerability hunter Vinoth Kumar reported the oversight on October 17 and close to three weeks later Starbucks responded it demonstrated "significant information disclosure" and that it qualified for a bug bounty... Along with identifying the GitHub repository and specifying the file hosting the API key, Kumar also provided proof-of-concept (PoC) code demonstrating what an attacker could do with the key. Apart from listing systems and users, adversaries could also take control of the Amazon Web Services (AWS) account, execute commands on systems, and add or remove users with access to the internal systems.

Once Starbucks was content with the remediation steps taken, the company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities. Most bounties from Starbucks are between $250-$375. The company solved 834 reports since launching the bug bounty program in 2016, and 369 of them were reported in the past three months. For them, Starbucks spent $40,000.

The Cloud

[ArchieBunker]

Yeah let's hear it for putting critical data on computers you don't own!

Re:The Cloud

[overnight_failure]

Except that the large majority of companies don't own the hardware their websites sit on. That's always been the case, even before the cloud was "a thing".

Re:

[cascadingstylesheet]

Except that the large majority of companies don't own the hardware their websites sit on. That's always been the case, even before the cloud was "a thing".

Thank God. I've dealt with both, and believe me, the average company does not do things better in house.

Re:

[tokul]

> Yeah let's hear it for putting critical data on computers you don't own!

More like "separate code from settings and do not commit real setting values to software repo".

$4000 for this?

[TelavianX]

They should give that person Starbucks for life. The "bug" was absolutely critical and finding that probably saved them millions if a nefarious person found it.

Re:

[TXJD]

No, they gave him the maximum bounty which is appropriate. You set guidelines, and you go by them.

Re:

[TelavianX]

Then they should expand their scale. If I can get 1000x easily by peddling the exploit then why should I report it? What does it hurt them to have a scale from $1 to $1 million which would be their discretion anyways.

Re:

[Zontar The Mindless]

Because you're an ethical being?

Oh, you wanted a serious answer. Okay, how about:

Because it's much easier to sleep when you're not constantly worried about getting caught?

Re:$4000 for this?

[93 Escort Wagon]

They should give that person Starbucks for life.

Coincidentally, a few days prior to reporting the bug - Kumar did win the current "Starbucks for Life" promotion.

Re:

[quonset]

They should give that person Starbucks for life

No good deed goes unpunished.

Re:

[Aighearach]

They should give that person Starbucks for life. The "bug" was absolutely critical and finding that probably saved them millions

OMG does anybody know what happened to the restroom key?!?! This situation is absolutely critical, and I can guarantee you that a security breach is imminent.

Re:

[K. S. Kyosuke]

Why would you want Starbugs for life?

$40,000 payout for all those vulns?

[bagofbeans]

1. What a bargain.
2. I trust some CTO level person at SB has been told to update the resume

Learn to code they said...!

[Anonymous Coward]

https://developers.slashdot.or... [slashdot.org]

What could possibly go wrong?

Starfucks is owned by Nestle

[drinkypoo]

Also, their hot chocolate is so shitty it could have come out of a fucking packet, and their beans are burnt.

It seems they can do nothing right.

This is only going to get more common

[Ada_Rules]

Data breaches like this will one get more common with the scourge of Climate Change.

How to prevent this?

[ElizabethGreene]

I put my passwords, api keys, and whatnot in a separate file, manually check in a dummy/stub copy, and then put the real one in .gitignore. It's fragile, manual, a pain, and I'd love to have a better way. Thoughts?

Re:

[Ryzilynt]

Thoughts?

Yeah.

Don't ever tell anyone anything about "how" you handle security. And never for any reason post it to open forums on the internet.

Re:

[ElizabethGreene]

I thought we, as an industry, had given up on security through obscurity?

Re: How to prevent this?

[JohnJohnsonOkah]

Exactly. Publicly sharing your personal security tip could make you vulnerable.

Re:

[AHuxley]

Keep data safe in as its your own big company...
Bring experts to company to work on projects... in person...
Nothing online, nothing easy for the world to share in.
The world gets to view the working results, open to the world....
Not the working that went into any project.
Got secrets? Keep them in the company and trusted to the best and most skilled staff....
Fly, drive, walk, bicycle in experts as needed for company work.
The world then gets to see much less. Less risk with networks, better intern

Re:

[Zaiff Urgulbunger]

Pre-commit hook to check for "secret.txt" or whatever?

Re:

[Pimpy]

HashiCorp Vault would be one alternative, and certainly better than hand-rolling. Also pretty easy to auto-rotate credentials as needed.

Kumar?

[tokul]

I suspect Kumar is not his last name.