Thursday, May 28, 2015 - 11:22

Hacking Starbucks and a typical reaction from idiots

Egor Homakov found a way to steal money from Starbucks by exploiting a race condition on their gift cards by initiating two identical transfers at once.

The hack basically goes like this. You can transfer credit from one card to the other. So let's say you have two cards with 5 bucks on them. If you transfer 5$ from one to the other you end up with one card having no credit and the other 10$. What you'd expect.

A race condition allows to do the transfer twice. So you end up with the receiving card having 15$ credit ... unlimited coffee. The problem virtually always stems from bad database transaction handling.

The interesting - but sadly rather common - part is the reaction. Starbucks is one of those companies where I wouldn't expect responsible handling. To no surprise it was apparently difficult to find someone to talk to in the first place. After about a month of trying [quite some stamina there...] he managed to get a call back mentioning fraud and malicious actions ... Just what you'd expect.

Now that's the part I love most about idiots like this. Someone else does their job, saves them from losing money and you don't get a thank you and a bunch of free coffees. No. You have to deal with a retard insulting you.

Egor did steal a couple of bucks. But he recharged his credit right away. Calling that fraud is pretty bold for a bunch of nitwits who just got kindly informed that they couldn't get a simple database transaction straight. A problem that could result in loss of money fast if it gets around.

Companies need to learn that these incidents are a gift. It's a free ticket away from a potential disaster. And if someone saves your stupid ass you do not insult or threaten them.

Homakov could just have disclosed the results from his finger exercise and everyone with actual malicious intent could have played Starbucks-Bingo. Responsible disclosure is a courtesy. Not a requirement.