Starbucks Key API was suddenly revealed publicly on Github

Developers at Starbucks have made a serious mistake when publicly disclosing a key API that can be used by hackers to gain access to its internal systems, as well as manipulate user lists. Authorised.

The reason for this is extremely serious because this key can allow unlimited access to Starbucks JumpCloud API, as well as control Amazon Web Services (AWS) accounts, execute commands on the system. and add or remove accounts that have access to the internal system.

The entire incident was first discovered by Vinoth Kumar, when the free security researcher found Starbucks's API key in a GitHub repository that could be accessed publicly, and reported the details. detail the case through HackerOne's vulnerability coordination platform and reward bugs.

Starbucks Key API was suddenly revealed publicly on Github Picture 1

JumpCloud is an Active Directory management platform developed to replace Azure AD. The advantage of JumpCloud is to provide seamless and seamless user management, single sign-on access control (SSO) and Lightweight Directory Access (LDAP) service.

Vinoth Kumar reported the incident on October 17, and gave Starbucks three weeks to confirm the incident. After 3 weeks, information about the flaw will be publicly disclosed. Starbucks then analyzed and identified this as a serious flaw in the internal system, and said Vinoth Kumar was eligible to receive a $ 4,000 security bug detection bonus.

Starbucks has also been praised for its workaround when asking GitHub to delete the repository and revoke the exposed API key on October 21 - 4 days after the incident was reported. It took the company more time to issue an official press release because it needed to "ensure that the issue is understood and all appropriate corrective actions have been taken".