Reports in starbucks program: S.No Title Bounty 1 www.starbucks.co.uk Reflected XSS via utm_source parameter $0.0 2 Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record $0.0 3 Dom Based Xss DIV.innerHTML parameters store.starbucks* $0.0 4 Parameter Manipulation allowed for viewing of other user’s teavana.com orders $0.0 5 Create New User Whilst Logged On $0.0 6 Persistent XSS in www.starbucks.com $0.0 7 http://digital.starbucks.com/ Creation of Google G Suite Account on Behalf of starbucks. $0.0 8 Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions. $0.0 9 Starbucks.com is reachable via ip address thus possible to link any doamin to Starbucks. $0.0 10 Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on card.starbucks.in $0.0 11 Exposed Unencrypted Telnet Endpoint $0.0 12 CSRF exploit | Adding/Editing comment of wishlist items (teavana.com - Wishlist-Comments) $0.0 13 Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments) $0.0 14 Time-based Blind SQLi on news.starbucks.com $0.0 15 Brute Force Attack against PIN on Card History Page Could Lead to Card Information Discovery / Fraud $0.0 16 SAP Server - default credentials enabled $0.0 17 [newscdn.starbucks.com] CRLF Injection, XSS $0.0 18 DOM XSS on teavana.com via "pr_zip_location" parameter $0.0 19 CSRF vulnerability in saving payment card on store.starbucks.com (COBilling -AddCreditCard) $0.0 20 Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites $0.0 21 Java Deserialization RCE via JBoss on card.starbucks.in $0.0 22 Stored XSS in Adress Book (starbucks.com/account/profile) $0.0 23 CSRF: add item to victim's cart automatically (starbucks.com - updatecart) $0.0 24 Reflected XSS on teavana.com (Locale-Change) $0.0 25 Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com) $0.0 26 Stored XSS in comments on https://www.starbucks.co.uk/blog/* $0.0 27 Lack of Controls Allowing for Card and PIN Enumeration Leading to Fraud $0.0 28 Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key= $0.0 29 [connect.teavana.com] Open Redirect and abuse of connect.teavana.com $0.0 30 Full Api Access and Run All Functions via Starbucks App $0.0 31 out of date disqus shortname usage in the web app source code $0.0 32 Unable to register in starbucks app $0.0 33 Unable to register in starbucks IN app $0.0 34 csrf blogs.starbucks.com $0.0 35 Possible subdomain takeover at openapi.starbucks.com $0.0 36 Possible SOP bypass in www.starbucks.com due to insecure crossdomain.xml $0.0 37 CSRF in Report Lost or Stolen Page https://www.starbucks.com/account/card $0.0 38 DOM-based XSS in store.starbucks.co.uk on IE 11 $0.0 39 Multiple Subdomain takeovers via unclaimed instances $0.0 40 [stagecafrstore.starbucks.com] CRLF Injection, XSS $0.0 41 SQL injection in partner id field on https://www.teavana.com (Sign-up form) $0.0 42 Subdomain takeover on developer.openapi.starbucks.com $0.0 43 Leaking sensitive files on Github leads to internal files (python scripts,SQL files) $0.0 44 XSS on https://www.starbucks.co.uk (can lead to credit card theft) (/shop/paymentmethod) $0.0 45 Unauthorized access to jiratest.starbucks.com $0.0 46 Host header injection/redirection via newsletter signup $0.0 47 Subdomain takeover on svcgatewayus.starbucks.com $0.0 48 Able to purchase a gift card with any amount $0.0 49 Able to reset other user's password in https://card.starbucks.com.sg/ $0.0 50 Subdomain takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com $0.0 51 svcardproxydevus.starbucks.com Subdomain take over $0.0 52 Subdomain takeover on wfmnarptpc.starbucks.com $0.0 53 Information Leak - Github - JMS Information $0.0 54 Backup Source Code Detected $0.0 55 DVR default username and password $0.0 56 Sidekiq web UI (Ruby background processing) accessible unauthenticated via https://gift-test.starbucks.co.jp/sidekiq/busy $0.0 57 Unauthorized access to a system used for CI/CD processes $0.0 58 Able to bypass information requirements before launching a Chat. $0.0 59 SQL Injection Proof of Concept for Starbucks URL $0.0 60 unuse domain still in using at wechat by Starbucks East China $0.0 61 Missing CSRF Token On Add Coupon To Basket $0.0 62 Information Exposure Through an Error Message at news.starbucks.com $0.0 63 Missing CSRF Token On Remove Coupun From Cart $0.0 64 Password Change not notified when changed from settings $0.0 65 Bug in GraphQL and API integration leads to limited user address disclosure $0.0 66 Reflected Cross site Scripting (XSS) on www.starbucks.com $0.0 67 Open Redirection in Login - Korean Starbucks $0.0 68 SSRF at ideas.starbucks.com $0.0 69 RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/ $0.0 70 Stored XSS on www.starbucks.com.sg/careers/career-center/career-landing-* $0.0 71 Subdomain takeover of mydailydev.starbucks.com $0.0 72 Reflected XSS in https://www.starbucks.co.jp/store/search/ $0.0 73 PHPinfo page $0.0 74 Blind SQL Injection on starbucks.com.gt and WAF Bypass :* $0.0 75 Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice $0.0 76 SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database $0.0 77 Subdomain takeover of d02-1-ag.productioncontroller.starbucks.com $0.0 78 Subdomain takeover of datacafe-cert.starbucks.com $0.0 79 Starbucks China Android app cloud storage service leaks a credential. $0.0 80 [mena.starbucks.com] Laravel App Log & Configuration Disclosure. $0.0 81 Reflected cross-site scripting on multiple Starbucks assets. $0.0 82 XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx $0.0 83 Webshell via File Upload on ecjobs.starbucks.com.cn $0.0 84 Information disclosure on sim.starbucks.com $0.0 85 Reflected XSS in https://www.starbucks.com/account/create/redeem/MCP131XSR via xtl_amount, xtl_coupon_code, xtl_amount_type parameters $0.0 86 Improper handling of payment callback allows topping up a Swiss Starbucks Card bypassing actual payment via a crafted success message $0.0 87 Thailand – a small number of alarm system portals accessible with the default credentials $0.0 88 Thailand - a small number of SMB CCTV footage backup servers were accessible without authentication. $0.0 89 India - An Insecure Direct Object Reference (IDOR) allowed unauthorized access to view card index number and monetary balance $0.0 90 Bulgaria - Subdomain takeover of mail.starbucks.bg $0.0 91 Reflected XSS on card.starbucks.com.sg/unsub.php via the 'ct' Parameter $0.0 92 Reflected XSS on card.starbucks.com.sg/unsubRevert.php via the 'ct' Parameter $0.0 93 Store Development Resource Center was vulnerable to a Remote Code Execution - Unauthenticated Remote Command Injection (CVE-2019-0604) $0.0 94 JumpCloud API Key leaked via Open Github Repository. $0.0 95 Norway - store.starbucks.no - CSRF on email change $0.0 96 China - ecjobsdc.starbucks.com.cn html/shtml file upload vulnerability $0.0 97 WAF bypass via double encoded non standard ASCII chars permitted a reflected XSS on response page not found pages - (629745 bypass) $0.0 98 Account take over of 'light' starbuckscardb2b users $0.0 99 Thailand - Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card $0.0 100 sdrc.starbucks.com - Information Disclosure via unsecured attachment directory $0.0 101 Hong Kong - Open Redirect on card.starbucks.com.hk $0.0 102 Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/ $0.0 103 DOM XSS on app.starbucks.com via ReturnUrl $0.0 104 athome.starbucks.com - URL parameter tampering of review forms permitted possible content injection $0.0 105 Minimal information disclosure of internal asset names and links which were not publicly accessible. $0.0 106 China - president-starbucks.com.cn DNS configuration reported as takeover $0.0 107 Singapore - IDOR in campaign.starbucks.com.sg $0.0 108 China – Limited Partner PII Regarding Work Scheduling via Unauthenticated API Endpoint $0.0 109 China - Leaked credentials permitted a limited ability to create Starbucks coupons and cards $0.0 110 Open Redirect on Greater Asia domains $0.0 111 India - OTP bypass on Phone number verification for account creation $0.0 112 Korea - LFI Server directory traversal at starbucks.co.kr $0.0 113 Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number $0.0 114 Reflected XSS on https://www.starbucks.co.uk/shop/paymentmethod/ (bypass for 227486) $0.0 115 Reflected DOM XSS on www.starbucks.co.uk $0.0 116 Misuse of an authentication cookie combined with a path traversal on app.starbucks.com permitted access to restricted data $0.0 117 Default credentials for the temporary POC site alipoc.stg.starbucks.com.cn permitted WAF bypass and RCE $0.0 118 Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages $0.0 119 China - Open redirect at trackinghub.starbucks.com.cn $0.0 120 Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11 $0.0 121 Singapore - Unrestricted File Upload Leads to XSS on campaign.starbucks.com.sg/api/upload $0.0 122 Singapore - Account Takeover via IDOR $0.0 123 Korea - Reflected XSS on https://www.istarbucks.co.kr/app/getGiftStock.do via "skuNo" and "skuImgUrl" parameters $0.0 124 CRLF injection on www.starbucks.com $0.0 125 China - IDOR on Reservation Staging/Non Production Site - https://reservation.stg.starbucks.com.cn $0.0 126 Thailand - SNMP Publicly Accessible $0.0 127 Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg $0.0 128 Japan - CSRF in webapp.starbucks.co.jp with user interaction could leak an access token if the user was not using Chrome $0.0