responsible disclosure – Techdirt (original) (raw)

Stories filed under: "responsible disclosure"

Hacker Informs Starbucks Of Gift Card Exploit; Starbucks Accuses Hacker Of Fraud And Maliciousness

from the hackaccino dept

In a period of a couple of weeks we have already seen some rather strange stories about companies failing to make the best use of free security advice and information, and instead going on the attack. Here we go again, I guess. What this latest example lacks in terrifying flight maneuvers or disgusting internet grossness, it makes up for in pure pettiness. This is the story about how Starbucks was informed by a hacker that he’d discovered and proof-tested an exploit on the company’s gift card systems that allowed people to load twice as much money on a card as they were supposed to.

Egor Homakov found a flaw that let him duplicate funds on a gift card, which he spent in a store to test his theory. Mr Homakov worked out that making two web browsers transfer money between the same cards, at the same time, sometimes duplicated the transfer and added funds to a gift card that had not been paid for. After buying some drinks and a sandwich in a store to test if the process had worked, Mr Homakov topped up the card to repay the $1.70 (£1.10) he owed to the company.

Pretty solid, honest move, especially given that Homakov then informed Starbucks of the issue after reloading his card so as not to be costing the company even the meager couple-o-dollars it took to test his theory out in practice. As far as altruistic hackers, Homakov’s story is about as good as it gets. So of course Starbucks went on the attack.

He told Starbucks so they could fix the flaw, but said that the company had then called his actions “malicious”.

“The unpleasant part is a guy from Starbucks calling me with nothing like “thanks” but mentioning “fraud” and “malicious actions” instead,” he wrote.

A spokeswoman for Starbucks told BBC News: “After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication.”

I have to say, even when most of these stories leave me thinking that the attacking companies would be better off taking the free security advice of people like Homakov, I can at least stretch myself to understand why they might let emotions get in the way of logical behavior. Maybe, like with airflight exploits, the danger is so great that the company just wants everyone to shut up while it gets its house in order. Or maybe, like when goatse ends up on your billboards, embarrassment takes over. But Starbucks’ actions are without explanation. Far from going on the attack, the coffee company should be praising and thanking Homakov and it should be counting itself lucky that the exploit was discovered by such a benevolent force rather than one with more mischievous intentions.

Hell, many companies pay for this kind of information. Resting on the fact that the hacker tested his theory before bringing the information to the company as an excuse to throw around legal threats is stupid. Maybe they need to put down the latte to calm the jitters or something.

Filed Under: egor homakov, hacking, responsible disclosure
Companies: starbucks