Recently, a researcher discovered a Starbucks API key exposed in a public GitHub repo. Had a hacker with malicious intent accessed the key, they may have been able to change authorized users and access internal data.
Bug hunter Vinoth Kumar caught a vulnerability affecting Starbucks systems. Specifically, he found an exposed API key in a public GitHub repository that allowed access to Starbucks JumpCloud API.
JumpCloud is an Azure AD alternative Active Directory. It provides user management, cloud Lightweight Directory Access Protocol (LDAP) service, web app single sign-on (SSO) and more.
According to Kumar, anyone having the API key could gain access to the Starbucks systems’ internal data. As explained by the researcher, exploiting the bug could allow an attacker to,
Thus, it was a critical issue that required immediate attention from the vendors.