Hacker Warns Starbucks of Security Flaw, Gets Accused of Fraud

← Back to Stories (view on slashdot.org)

Hacker Warns Starbucks of Security Flaw, Gets Accused of Fraud

Posted by Soulskill on Saturday May 23, 2015 @02:35AM from the biting-the-hand-that-doesn't-steal-from-you dept.

Andy Smith writes: Here's another company that just doesn't get security research. White hat hacker Egor Homakov found a security flaw in Starbucks gift cards which allowed people to steal money from the company. He reported the flaw to Starbucks, but rather than thank him, the company accused him of fraud and said he had been acting maliciously.

12 of 107 comments (clear)

Min score:

Reason:

Sort:

No good deed goes unpunished by localroger · 2015-05-23 02:40 · Score: 5, Funny

He would have been better off helping himself to free coffee until the wankers fixed their system.

--
Brackets contain world's first nanosig, highly magnified:[.]
1. Re:No good deed goes unpunished by infolation · 2015-05-23 02:49 · Score: 5, Insightful
  
  In the old days, he'd have posted it in 2600 and we'd ALL've got some free coffee.
  
  No free lunches anymore :[
2. Re:No good deed goes unpunished by AmiMoJo · 2015-05-23 03:37 · Score: 5, Insightful
  
  The sad thing is that publishing the vulnerability anonymously, in 2600 or on one of the disclosure mailing lists, is now the responsible thing to do. Not great for the company involved, but it protects the researcher and it protects the user in some cases.
  At this point I'd only even consider warning the company before anonymously publishing the vulnerability if they had a bug bounty programme. Not because I want money, but because it's the only way to be sure they will actually be thankful and not call the cops right away.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:No good deed goes unpunished by Anonymous Coward · 2015-05-23 03:49 · Score: 4, Informative
  
  In the old days, he'd have posted it in 2600 and we'd ALL've got some free coffee.
  No free lunches anymore :[
  weird, I had a dream last night I was buying a 2600 from a bookstore. It's been a long time since I've bought one though. Long time since I bought any magazine actually.
  I work in a bookstore and we still sell 2600 regularly.
You stole too little by rebelwarlock · 2015-05-23 02:41 · Score: 5, Insightful

Everyone knows that you get a negative reaction for stealing a small amount. Steal a couple million and you'll be respected.
My email to press@starbucks.com by Anonymous Coward · 2015-05-23 02:52 · Score: 5, Insightful

"Egor Homakov did you a favor, I think you owe him a thank you, and an apology for your response to his discovery of a security flaw in your system.
This will be your only hope if another security flaw is found, and the discoverer of the flaw now ponders between letting Starbucks know (less likely after your response to Egor Homakov), not letting anyone know (which leaves the security flaw available for anyone to use), or letting the wrong people know about this flaw!
I feel like I am explaining something to a child. You are a corporation, act like one!"
1. Re:My email to press@starbucks.com by Andy+Smith · 2015-05-23 05:14 · Score: 4, Insightful
  
  For most of my life I've worked freelance so I haven't had much experience of the corporate world. But I recently worked for a small newspaper company (approx 400 employees) for a year and it was an eye-opening experience. It amazes me how anything ever gets done in these blind, ignorant, slow-moving organisations.
  I'll give you one example. The company's web filter had an issue with our own web sites, which prevented us from reading them. When I asked IT about it they knew what the problem was, but they couldn't authorise the fix and they suggested I raise the issue with my manager. But my manager was unapproachable -- asking for something to be done was the best way to make sure it didn't get done. It took over a YEAR for a small newspaper company to fix an IT issue that prevented staff from reading their own newspapers' web sites.
  I dread to think what life must be like in big corporations. I don't want to ever experience it.
2. Re:My email to press@starbucks.com by sumdumass · 2015-05-23 07:36 · Score: 4, Informative
  
  It's probably hit with a spam filter before it even reaches him.
  In the email servers I administrate, we white list known addresses and segregate others for approval. Generally the higher ups will assign this approval process to their secretaries. However, in the chance that 100 emails come in saying the same things, this usually trips the spam filter and goes into a folder that is generally automatically deleted unless someone detects it as not spam first. This is why form letters and such are not really noticed until someone sends a PR release stating over so many have been sent. then they look at their spam filter logs and realize 200k people are pissed at them.
Re:come on now! by PPH · 2015-05-23 03:30 · Score: 4, Funny

It's pronounced "eye-gor."

--
Have gnu, will travel.
disclosure by Lehk228 · 2015-05-23 05:07 · Score: 5, Interesting

more proof that responsible disclosure is foolish unless you are delaing with an organization you already have a solid IT/security relationship with.

in any other situation, just post the exploit kit anonymously and make a bowl of popcorn

--
Snowden and Manning are heroes.
#RaceConditionTogether by Phronesis · 2015-05-23 05:19 · Score: 4, Funny

Starbucks can have a new slogan.
Security wall of shame by Kardos · 2015-05-23 06:11 · Score: 4, Interesting

Looks like we need a security wall of shame that lists the response to flaw disclosures of each organisation, so people can quickly determine which companies will fix a flaw upon receiving a report, and which companies are hostile and should not be contacted.