Starbucks (SBUX) on Wednesday acknowledged that criminals have been breaking into individual customer rewards accounts.
The Starbucks app lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.
That's how criminals are siphoning money away from victims. They break into a victim's Starbucks account online, add a new gift card, transfer funds over -- and repeat the process every time the original card reloads. More...
The flaw was found by Jouko Pynnönen, and is a cross-site scripting (XSS) bug similar to one patched last week. It is buried within the widely used web publishing software's comments system.
The vulnerability is present in WordPress version 4.2 and below. Pynnönen revealed the flaw on his blog on Sunday before the WordPress team could release a patch for the software: the researcher feared WordPress would take too long to fix the hole, and wanted to warn everyone beforehand.
"I didn't report the bug to the vendor this time," Pynnönen told The Register in an email earlier today.
The security blunder is exploited by posting a 64KB comment to a WordPress blog page. This data is truncated as it is written to the database, breaking safety checks that are supposed to filter out malicious code when the comment is displayed to visitors.
- OPM hack's unprecedented haul: 1.1 million fingerprints
- U.S. data hack may be 4 times larger than the government originally said
- Net neutrality is here. What it means for you
- US net neutrality rules to go ahead
- Cyberattack Exposes I.R.S. Tax Returns
- Hackers are draining bank accounts via the Starbucks app
- Comments considered harmful: WordPress web hijack bug revealed
- How to Defeat a Smarter Breed of Cyber Threat
- Premera cyberattack could have exposed information for 11 million customers
- Online Bank Robbers Steal as Much as $1 Billion, Says Kaspersky