Beware Coffee Lovers! StarBucks Exposed you to 3 Critical Vulnerabilities
Ever registered on StarBucks website? Change your passwords now!
If you are one of those Millions Starbucks customers who have registered their accounts and credit card details on StarBucks website, then your banking details are vulnerable to hackers.
An Independent Security Researcher, Mohamed M. Fouad from Egypt, has found three critical vulnerabilities on StarBucks website that could have allowed attackers to take over your account in just one click.
Stealing Credit Cards Details
In case of Remote File Inclusion flaw, an attacker can inject a file from any location into the target page, which includes as a source code for parsing and execution, allowing attacker to perform:
- Remote Code Execution on the company's web server
- Remote Code Execution on the client-side, potentially allowing attacker to perform other attacks such as Cross-Site Scripting (XSS)
- Data theft or data manipulation via Phishing attacks in an attempt to hijack customers' accounts containing credit cards details
In case of Remote File Inclusion flaw, an attacker can inject a file from any location into the target page, which includes as a source code for parsing and execution, allowing attacker to perform:
- Remote Code Execution on the company's web server
- Remote Code Execution on the client-side, potentially allowing attacker to perform other attacks such as Cross-Site Scripting (XSS)
- Data theft or data manipulation via Phishing attacks in an attempt to hijack customers' accounts containing credit cards details
Hijacking Starbucks Store Account Using CSRF
CSRF or Cross-Site Request Forgery is a method of attacking a website in which an intruder masquerades as a legitimate user. All attackers need to do is get the target browser to make a request to the site on their behalf, if they can either:
- Convince users to click on their HTML page
- Insert arbitrary HTML in a target site
In this case, an attacker can use CSRF to trick a victim into clicking a URL that changes user's store account information including account password.
This could allow the attacker to hijack victims' accounts, delete accounts or change victims' email addresses.
CSRF or Cross-Site Request Forgery is a method of attacking a website in which an intruder masquerades as a legitimate user. All attackers need to do is get the target browser to make a request to the site on their behalf, if they can either:
- Convince users to click on their HTML page
- Insert arbitrary HTML in a target site
In this case, an attacker can use CSRF to trick a victim into clicking a URL that changes user's store account information including account password.
This could allow the attacker to hijack victims' accounts, delete accounts or change victims' email addresses.
No comments:
Post a Comment