Issue 89: Starbucks API flaw exposes almost 100 million customer accounts

This week, we have the recent API vulnerabilities at Starbucks and in Drupal, a set of open-source tools by the Spanish bank Banco Bilbao Vizcaya Argentaria (BBVA), and extensions to Microsoft platform for integrating API security throughout it all.

Vulnerability: Starbucks

Sam Curry found an API vulnerability at Starbucks that exposed almost 100 million customer records. In his detailed write-up, Curry walks us through how he went about finding the issue:

  1. He found that the web page for buying gift cards used a REST API behind the scenes.
  2. He noticed that the API was actually acting as a proxy and routing calls to internal backend APIs.
  3. He found a combination of \.. and \. segments that fooled the web application firewall (WAF) rules and allowed him to traverse API paths.
  4. He and Justin Gardner then used Burp Intruder and a dictionary list to discover the available endpoints.
  5. He located /search/v1/accounts,ย  a Microsoft Graph endpoint that gave him access to the records of almost 100 million Starbucks customers.

Starbucks has already fixed this vulnerability. Curry’s entertaining post provides not only the details of the vulnerability itself, but also a brilliant account on how a researcher approaches finding one.

Vulnerability: Drupal

Drupal has just fixed a Cross Site Request Forgery (CSRF) vulnerability in one of its Forms APIs . The vulnerability was found by internal Drupal team members so the details are scant:

The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

If you need a refresher on CSRF itself, check out this video by Tom Scott:

Tools: BBVA APICheck

The Spanish bank BBVA has Innovation Security Labs team which maintains a set of open-source API Security tools called APICheck.

The toolset includes, for example:

  • Replay HTTP requests
  • acurl
  • APICheck proxy
  • JWT token validator (just released)
  • Sensitive data detector
  • Send data to a proxy server

For more details on the toolset, check out itsย documentation.

Tools: API security extensions for VS Code, Azure DevOps, Azure Kubernetes Services

Microsoft Channel 9 has posted a video of Abel Wang and Dmitry Sotnikov (me :)) talking about API security within the whole Microsoft platform. We cover different API security scenarios and show hands-on demos of the API security extensions for:

  • Visual Studio Code (VS Code)
  • Azure DevOps pipelines (Azure Pipelines)
  • Azure Kubernetes Service (AKS)




Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy