A security researcher, Sam Curry, recently noticed what he called "suspicious" API calls when ordering a Starbucks gift card for a friend. After learning that Starbucks runs a bug bounty program, Curry dug a little deeper. Soon thereafter, Curry found that Starbucks had potentially exposed personal records of around 100 million customers.
The security issue Curry uncovered was a result of the directory traversal bug. Curry reported the vulnerability through the bug bounty program before bad actors were able to exploit the personal data. That data included names, emails, phone numbers, and addresses.
Directory traversal, or file path traversal, allows attackers to read arbitrary files on a server where an application runs. In the case of Starbucks, endpoints under the /bff/proxy/ on the Starbucks app routed requests to retrieve store data. Although Starbucks had a firewall in place, Curry was able to get around it and traverse API calls to find URLs that shouldn't be accessible on the internal host.
Curry reported the vulnerability to Starbucks on May 16 and Starbucks remedied the situation in less than a day. The highest reward under the Starbucks bug bounty program is $4,000 which Curry received. Starbucks has not commented on the incident.