For the second time in as many weeks Starbucks is facing allegations that its payments system is hackable.
This latest claim comes from security researcher Egor Homakov. The computer expert performed an experiment on three Starbucks gift cards, reports the Daily Dot. He bought them to see if he could find any holes in the Starbucks gift card and mobile payments system.
Focusing on a common bug in payments software systems known as ‘race conditions,’ Homakov tried to see if he could figure out a way to hack his gift cards. The researcher calls these race conditions “very common bugs for websites with balances, vouchers or other limited resources (mostly money)” on his blog.
While capitalizing on this problem is difficult to explain (it’s writing a bunch of code and launching it at a very specific time), Homakov was essentially able to fudge the gift card recharging system and add money to his cards from ostensibly nowhere. It looked as if he was transferring money from one card to another, but because of this vulnerability he figured out how to increase this amount. This bug, if executed correctly, gives people the power to add funds from nothing based on a flaw in the system architecture.
It took him six tries to figure out how to exploit the problem, but after all was said and done he had $20 on his gift cards.
To make sure it wasn’t some technical error, he went to the closest Starbucks and bought himself a $15 meal. Afterward, to avoid any legal problems, he added $10 to his Starbucks accounts to make up for the money he had hacked.
This comes less than two weeks after Bob Sullivan wrote on his blog about an alleged other Starbucks hack that made it possible for hackers to transfer funds from one account to another. For this issue, it seems hackers were able to crack user passwords using a technique known as brute force, and then transferred funds from the hacked accounts into their own card.
If auto-reload is programmed onto the app, the hackers can automatically withdraw funds from a person’s bank account. A woman whose account was hacked reportedly saw more than $100 withdrawn from her account into a ghost Starbucks gift card in less than seven minutes.
Both of these alleged hacker attacks take aim at Starbucks’ gift cards program and app. The coffee giant’s mobile payments system is the biggest payments app on the market currently, and these two issues highlight potential vulnerabilities with its underlying technology. Or, at the very least, with the way it safeguards user accounts from hijackers.
Starbucks responded to Bob Sullivan’s earlier allegations via a blog post, denying any formal hacks had happened to its systems. The company explained that it has “safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions.” It added that customers’ accounts are likely being hacked because criminals have obtained “reused names and passwords from other sites.”
This latest issue discovered by Homakov, however, seems to be an actual problem with Starbucks’ technology.
Business Insider contacted Starbucks about this most recent allegation, which alludes to an actual vulnerability in their gift card framework. We will update this post if we hear back.