Barista twister

A bug hunter has proved instrumental in resolving a critical SQL injection vulnerability on a Starbucks enterprise database that may have exposed internal financial and accounting records.

Eugene Lim (AKA @spaceraccoon) earned $4,000 through a vulnerability disclosure program run by HackerOne on behalf of Starbucks for the find.

The bug created a means for the potentially unscrupulous to access the coffee chain’s taxes, receipts, and payroll data, all information held on an exposed accounting database.

Lim discovered a SQL Injection vulnerability in a web service (a simple HTML file upload form) that created a way to access the database.

More specifically, he found a flaw that was exploitable via XML-formatted HTTP payload requests with an encoded single quote to the server, which was running Microsoft Dynamics AX, an enterprise financial/accounting software platform.

Starbucks acted promptly in addressing the bug, which was resolved within two days of a report, filled in early April.

HackerOne went public with details of the flaw and how it was resolved on Tuesday (August 6).

Lim’s attempts to mount XXE (XML External Entity) attacks on the file upload form within Starbucks’ web infrastructure initially failed.

He returned to the same endpoint a month later and found success probing for SQL injection attacks after realizing that an XML encoded single quote caused a database error.

Lim told The Daily Swig that while SQL Injection flaws have been known about for years they remain a class of vulnerability that is commonplace in corporate systems.

“I would say SQL injections are rare but definitely not extinct,” Lim explained. “I have encountered a couple, one most recently as last week.”

“Most developers use some kind of wrapper like Object Relational Mapping that reduce the risk of injections, but there are instances where either raw queries are used or the wrapper is misconfigured,” he added.

The researcher warned of the serious impact of SQL injection flaws.

“The problem is that SQL injections often lead to critical impacts – some can even lead to remote code execution with the right queries,” he said.

“In this case, an accounting database was compromised.”

Payment of $400 might seem like a modest payout for Lin’s efforts, but it is the maximum granted under Starbuck’s program.

Lin is nonetheless content with his reward.

He said: “Although companies with higher bounties will attract many more researchers, I value other factors like company response time and level of interaction. In this case, the Starbucks team responded and patched the vulnerability within two days, and I had many good experiences interacting with the team when reporting other vulnerabilities.”