Hacker Double-Spends...On A Starbucks Card!

[Nxtblg]

And here's the reception he got:

Researcher who exploits bug in Starbucks gift cards gets rebuke, not love

Plenty of poor manners to go around in fraudulent $1.70 purchase.

A security researcher said he found a way to game Starbucks gift cards to generate unlimited amounts of money on them. Both he and the coffee chain are grumbling after he used a fraudulent card to make a purchase, then repaid the amount and reported the vulnerability.

Egor Homakov of the Sakurity security consultancy found a weakness known as a race condition in the section of the Starbucks website responsible for checking balances and transferring money to gift cards. To test if an exploit would work in the real world, the researcher bought three $5 cards. After a fair amount of experimentation, he managed to transfer the $5 balance from card A to card B, not just once as one would expect, but twice. As a result, Homakov now had a total balance of $20, a net—and fraudulent—gain of $5.

The researcher went on to visit a downtown San Francisco Starbucks location to make sure his attack would actually work. He used the two cards to make a $16.70 cent purchase. He went on to deposit an additional $10 from his credit card "to make sure the US justice system will not put us in jail over $1.70," he explained in a blog post. Here's where hurt feelings—and arguably an overreaction on the part of both parties—entered into the story. Homakov wrote:...

http://arstechnica.com/security/2015/05/researcher-who-exploits-bug-in-starbucks-gift-cards-gets-rebuke-not-love/


Looks like someone's in need of a blockchain...and some good manners.

[acharias]

And here's the reception he got:

Researcher who exploits bug in Starbucks gift cards gets rebuke, not love

Plenty of poor manners to go around in fraudulent $1.70 purchase.

A security researcher said he found a way to game Starbucks gift cards to generate unlimited amounts of money on them. Both he and the coffee chain are grumbling after he used a fraudulent card to make a purchase, then repaid the amount and reported the vulnerability.

Egor Homakov of the Sakurity security consultancy found a weakness known as a race condition in the section of the Starbucks website responsible for checking balances and transferring money to gift cards. To test if an exploit would work in the real world, the researcher bought three $5 cards. After a fair amount of experimentation, he managed to transfer the $5 balance from card A to card B, not just once as one would expect, but twice. As a result, Homakov now had a total balance of $20, a net—and fraudulent—gain of $5.

The researcher went on to visit a downtown San Francisco Starbucks location to make sure his attack would actually work. He used the two cards to make a $16.70 cent purchase. He went on to deposit an additional $10 from his credit card "to make sure the US justice system will not put us in jail over $1.70," he explained in a blog post. Here's where hurt feelings—and arguably an overreaction on the part of both parties—entered into the story. Homakov wrote:...

http://arstechnica.com/security/2015/05/researcher-who-exploits-bug-in-starbucks-gift-cards-gets-rebuke-not-love/


Looks like someone's in need of a blockchain...and some good manners.

Very sad for it 

[NorrisK]

Did he only disclose it to starbucks and give them a chance to fix it before he went public with it? Otherwise I don't think he was being smart..

[Zer0Sum]

Truly an idiot. Being an egghead does not place you above the law.

He's probably the only person that would bother to "exploit" a Starbucks card for $1.70...
Maybe he should break into his neighbor's house and "penetration test" his pooch.

[Spoetnik]

funny but not surprising.. I bet he cloned the card then used it maybe hmmm ?
not sure how this is related to Altcoins but it's interesting news though

[Mt.Gox Support]

Poor guy... he'll never see the light of day.

[tss]

Poor guy... he'll never see the light of day.

and yet "you" are still out there...

[Nxtblg]

funny but not surprising.. I bet he cloned the card then used it maybe hmmm ?
not sure how this is related to Altcoins but it's interesting news though

I posted it to show a contrast - and to show that centralized system are not immune to double spends, regardless of what we might think.

Here's the contrast: Double-spend a ---coin? You wreck it, send it to the zombie pages of Coinmarketcap, get congratulated in this forum. Double-spend a corporate e-card? Get threated with legal action.

I wonder if that ethical hacker picked up some of his tricks in these parts. Had he done it to an altcoin, in exactly the way that he did it "to" Starbucks, he would have gotten a nice bounty and profuse thanks from the dev(s). He certainly wouldn't have been threatened with legal action!

[emelac]

It's normally good practice for security researchers to alert the company with the vulnerable system before going public. If he'd done that their attitude might have been different.

[G2M]

Truly an idiot. Being an egghead does not place you above the law.

He's probably the only person that would bother to "exploit" a Starbucks card for $1.70...
Maybe he should break into his neighbor's house and "penetration test" his pooch.

Nah, likely the source of hate came from employees knowingly exploiting this.

Getting the news to place any sort of blame on the guy that called them out would be a way to slide the above thought.