Date: 2015-05-21

A researcher was able to manipulate gift card account balances on Starbucks by exploiting a race condition in its gift card value-transfer protocol.

By doing two gift card value transfers at the same time, the researcher was able to duplicate the transfer and duplicate the balance on the accounts of the researcher.

The researcher found it difficult to disclose the exploit to Starbucks. Starbucks customer support did not know how to contact the service developers. Later Starbucks did not thank the researcher for his efforts, but too a hostile stance against security research.

Related evaluation points: