Critical SQL injection vulnerability in a Starbucks enterprise database

A website security specialist dedicated to the bug reporting helped fix a critical SQL injection flaw affecting an enterprise database in the famous coffee chain Starbucks. The flaw could have exposed confidential financial and accounting data.

Thanks to his discovery, expert Eugene Lim (also known as ‘spaceraccoon’) received a $4,000 bounty, paid through Starbucks’ vulnerability bounty program, operated by the HackerOne platform.

The compromised database stored confidential company records, such as Starbucks tax data, invoices, and payroll information; in turn, the vulnerability allowed any threat actor with the necessary knowledge to access these logs without authorization.

The vulnerability was discovered by the website security expert resides in an HTML file upload form, which created a way to access the database. Specifically, Lim discovered that the flaw was exploitable using XML-formatted HTTP payload requests with a simple quote encoded for the server running Microsoft Dynamics AX, a financial and accounting software platform. After receiving the report in mid-April, Starbucks began the process of correcting the bug; two days later, the vulnerability was completely patched.

According to website security experts, Lim’s first attempts to deploy an XXE (XML External Entity) attack on the file upload form within the company’s web infrastructure were unsuccessful. Weeks later, the expert returned to the same endpoint and managed to condone a SQL injection attack by realizing that a simple XML-encoded quotation mark caused the database to fail. “Even though SQL injection is a variant of attack known for years, it remains a really common vulnerability in various corporate systems,” he says. “Maybe they are found infrequently, but the SQL injections are definitely not extinct, I myself found a couple of them a few days ago,” he added.

Website security experts from the International Institute of Cyber Security (IICS) say that many developers resort to the use of a wrapper function, such as Object Relational Mapping, to reduce the risk of SQL injection. However, in some cases queries are applied without a wrapper or with poor configuration of this function.

In addition, experts warn of the severe consequences that a SQL injection can cause. “The problem is that SQL injections often generate critical consequences that can even lead to much higher risk scenarios, such as remote code execution,” the experts mention.

The $4,000 reward the expert received for his report may seem small compared to the figures handled in other vulnerability reward programs, but it’s worth noting that this is the largest amount set by the Starbucks bug bounty program.

Still, Lim is said to be satisfied by his work. “Looking for rewards from larger companies may bring greater benefits, but money isn’t my only motivation. Companies like Starbucks respond immediately to these reports and allow for greater interaction; in this case, the process of reporting and correcting the vulnerability took less than a week and working with them was a good experience,” he said.