Starbucks Devs Leave API Key in GitHub Public Repository
upstart writes in with an IRC submission for Anonymous_Coward:
Starbucks Devs Leave API Key in GitHub Public Repo:
One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users.
The severity rating of the vulnerability was set to critical as the key allowed access to a Starbucks JumpCloud API.
Vulnerability hunter Vinoth Kumar found the key in a public GitHub repository and disclosed it responsibly through the HackerOne vulnerability coordination and bug bounty platform.
[...] Kumar reported the oversight on October 17 and close to three weeks later Starbucks responded it demonstrated "significant information disclosure" and that it qualified for a bug bounty.
Starbucks took care of the problem much sooner, though as Kumar noted on October 21 that the repository had been removed and the API key had been revoked.
[...] Once Starbucks was content with the remediation steps taken, the company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities. Most bounties from Starbucks are between $250-$375.
Read more of this story at SoylentNews.