Jan 10, 2020

I've made a venti mistake

Starbucks exposed API

Starbucks, the largest coffeehouse chain in the world, accidentally exposed an API key in a public GitHub repository that could have been used by an attacker to access internal systems, manipulate lists of authorized users, or completely take over Starbucks’ AWS account.

What’s the damage? None, yet. But it could have been far worse.

The critical vulnerability granted access to an API connected to Starbucks’ deployment of JumpCloud, a directory-as-a-service authentication tool to manage employee access to application resources. While there are no reports of any bad actors taking advantage of the security flaw, any developer could have taken control of Starbucks’ AWS account to execute commands or add and remove users.

Payday. A lone developer discovered the misplaced API key in a GitHub repository and disclosed the bug through HackerOne, a bug bounty platform that pays developers for finding and reporting security issues. The developer took home a $4,000 bounty from Starbucks for the disclosure.

Since launching its bug bounty program in 2016, Starbucks has solved more than 800 bug reports and doled out $500,000 to hackers—equal to roughly 105,000 venti cappuccinos.

The big picture: APIs are a growing security issue for many companies—tech and non-tech alike. Starbucks is no exception.

Why? Development teams increasingly rely on APIs to integrate various parts of their technology stack. Microservices, cloud providers, and code repositories are all interconnected with APIs that need to be managed and secured.

As development stacks grow in pursuit of faster and more efficient engineering, more people work with these APIs across many different functions and roles, opening the door to new security threats.

Want to get more of these in your inbox?

Subscribe for weekly updates from the Software team.