“One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users,” reports Bleeping Computer:
Vulnerability hunter Vinoth Kumar reported the oversight on October 17 and close to three weeks later Starbucks responded it demonstrated “significant information disclosure” and that it qualified for a bug bounty… Along with identifying the GitHub repository and specifying the file hosting the API key, Kumar also provided proof-of-concept (PoC) code demonstrating what an attacker could do with the key. Apart from listing systems and users, adversaries could also take control of the Amazon Web Services (AWS) account, execute commands on systems, and add or remove users with access to the internal systems.
Once Starbucks was content with the remediation steps taken, the company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities. Most bounties from Starbucks are between $250-$375. The company solved 834 reports since launching the bug bounty program in 2016, and 369 of them were reported in the past three months. For them, Starbucks spent $40,000.