Starbucks accidentally puts API keys of internal systems on GitHub
Developers of the Starbucks applications accidentally put api keys on GitHub. This could potentially give attackers access to the company’s internal systems. There is no indication that this actually happened.
The vulnerability was found in a public GitHub repository. A security researcher found the API keys. He informed Starbucks via the responsible disclosure program on HackerOne. The api keys were used to access JumpCloud. This is an Active Directory platform that Starbucks uses internally for, among other things, user roles and access control via single sign-on. With the keys it was therefore possible to assign new roles to users, and to log into the system. It was also possible to take over Starbucks’ Amazon Web Services account.
Starbucks gave the leak a high priority and sealed it within three weeks. The researcher was awarded $4000, the maximum amount the company pays out for bug bounties. In addition to pointing out the leak, he also showed a proof-of-concept showing how the leak could be exploited.