| Japan - CSRF in webapp.starbucks.co.jp with user interaction could leak an access token if the user was not using Chrome |
Cross-Site Request Forgery (CSRF) |
elber |
High |
2021-05-18 |
| Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg |
Improper Access Control - Generic |
ko2sec |
Critical |
2020-12-09 |
| Thailand - SNMP Publicly Accessible |
Improper Access Control - Generic |
k3mlol |
High |
2020-10-07 |
| China - IDOR on Reservation Staging/Non Production Site - https://reservation.stg.starbucks.com.cn |
Insecure Direct Object Reference (IDOR) |
xmfc |
Medium |
2020-09-22 |
| China - IDOR on Reservation Staging/Non Production Site - https://reservation.stg.starbucks.com.cn |
Insecure Direct Object Reference (IDOR) |
seven6 |
Medium |
2020-09-22 |
| CRLF injection on www.starbucks.com |
CRLF Injection |
x3n0nn3p |
Medium |
2020-09-01 |
| CRLF injection on www.starbucks.com |
CRLF Injection |
x3n0nn3p |
Medium |
2020-09-01 |
| Korea - Reflected XSS on https://www.istarbucks.co.kr/app/getGiftStock.do via "skuNo" and "skuImgUrl" parameters |
Cross-site Scripting (XSS) - Reflected |
rexvuz |
Medium |
2020-08-19 |
| Singapore - Account Takeover via IDOR |
Insecure Direct Object Reference (IDOR) |
ko2sec |
Critical |
2020-07-28 |
| Singapore - Account Takeover via IDOR |
Insecure Direct Object Reference (IDOR) |
ko2sec |
Critical |
2020-07-28 |
| Singapore - Unrestricted File Upload Leads to XSS on campaign.starbucks.com.sg/api/upload |
Cross-site Scripting (XSS) - Stored |
ko2sec |
Medium |
2020-07-22 |
| Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11 |
XML External Entities (XXE) |
rugb |
High |
2020-07-22 |
| Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages |
Cross-site Scripting (XSS) - Generic |
cdl |
High |
2020-07-01 |
| Misuse of an authentication cookie combined with a path traversal on app.starbucks.com permitted access to restricted data |
Path Traversal |
zlz |
Critical |
2020-06-16 |
| Reflected DOM XSS on www.starbucks.co.uk |
Cross-site Scripting (XSS) - Reflected |
bayotop |
Medium |
2020-06-16 |
| Reflected XSS on https://www.starbucks.co.uk/shop/paymentmethod/ (bypass for 227486) |
Cross-site Scripting (XSS) - Reflected |
bayotop |
Medium |
2020-06-16 |
| Default credentials for the temporary POC site alipoc.stg.starbucks.com.cn permitted WAF bypass and RCE |
OS Command Injection |
neweq |
Medium |
2020-06-16 |
| Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number |
Insecure Direct Object Reference (IDOR) |
nnez |
Low |
2020-05-19 |
| Korea - LFI Server directory traversal at starbucks.co.kr |
Path Traversal |
0xb33 |
High |
2020-04-30 |
| India - OTP bypass on Phone number verification for account creation |
Improper Authentication - Generic |
deksterh1 |
Medium |
2020-04-22 |
| China – Limited Partner PII Regarding Work Scheduling via Unauthenticated API Endpoint |
Information Disclosure |
0xpatrik |
Critical |
2020-04-01 |
| China - Leaked credentials permitted a limited ability to create Starbucks coupons and cards |
Insufficiently Protected Credentials |
neweq |
High |
2020-04-01 |
| DOM XSS on app.starbucks.com via ReturnUrl |
Cross-site Scripting (XSS) - DOM |
gamer7112 |
Medium |
2020-03-17 |
| Minimal information disclosure of internal asset names and links which were not publicly accessible. |
Information Disclosure |
e4366eolywrgpidfbio |
Low |
2020-03-17 |
| Singapore - IDOR in campaign.starbucks.com.sg |
Insecure Direct Object Reference (IDOR) |
bytebunny |
Medium |
2020-03-17 |
| China - president-starbucks.com.cn DNS configuration reported as takeover |
Privilege Escalation |
k3mlol |
High |
2020-03-17 |
| athome.starbucks.com - URL parameter tampering of review forms permitted possible content injection |
Improper Input Validation |
jackb898 |
Medium |
2020-03-17 |
| Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/ |
Path Traversal |
iampuky |
Critical |
2020-03-10 |
| Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/ |
Path Traversal |
iampuky |
Critical |
2020-03-10 |
| sdrc.starbucks.com - Information Disclosure via unsecured attachment directory |
Information Disclosure |
l00ph0le |
Critical |
2020-02-26 |
| Thailand - Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card |
Insecure Direct Object Reference (IDOR) |
nnez |
High |
2020-02-11 |
| WAF bypass via double encoded non standard ASCII chars permitted a reflected XSS on response page not found pages - (629745 bypass) |
Cross-site Scripting (XSS) - Reflected |
laszaro |
Low |
2020-01-29 |
| China - ecjobsdc.starbucks.com.cn html/shtml file upload vulnerability |
Privilege Escalation |
neweq |
High |
2020-01-29 |
| Account take over of 'light' starbuckscardb2b users |
Improper Authentication - Generic |
zude |
High |
2020-01-29 |
| Norway - store.starbucks.no - CSRF on email change |
Cross-Site Request Forgery (CSRF) |
moonlight323 |
High |
2020-01-23 |
| JumpCloud API Key leaked via Open Github Repository. |
Use of Hard-coded Credentials |
vinothkumar |
Critical |
2019-12-30 |
| JumpCloud API Key leaked via Open Github Repository. |
Use of Hard-coded Credentials |
vinothkumar |
Critical |
2019-12-30 |
| Bulgaria - Subdomain takeover of mail.starbucks.bg |
Privilege Escalation |
nukedx |
High |
2019-12-12 |
| Store Development Resource Center was vulnerable to a Remote Code Execution - Unauthenticated Remote Command Injection (CVE-2019-0604) |
OS Command Injection |
l00ph0le |
Critical |
2019-12-12 |
| Thailand - a small number of SMB CCTV footage backup servers were accessible without authentication. |
Improper Access Control - Generic |
radoooz |
Medium |
2019-11-19 |
| Webshell via File Upload on ecjobs.starbucks.com.cn |
OS Command Injection |
johnstone |
Critical |
2019-11-13 |
| Webshell via File Upload on ecjobs.starbucks.com.cn |
OS Command Injection |
johnstone |
Critical |
2019-11-13 |
| Information disclosure on sim.starbucks.com |
Information Disclosure |
johnstone |
Low |
2019-11-13 |
| XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx |
XML External Entities (XXE) |
johnstone |
Critical |
2019-11-13 |
| Webshell via File Upload on ecjobs.starbucks.com.cn |
OS Command Injection |
johnstone |
Critical |
2019-11-13 |
| Reflected cross-site scripting on multiple Starbucks assets. |
Cross-site Scripting (XSS) - Reflected |
stealthy |
Low |
2019-10-16 |
| [mena.starbucks.com] Laravel App Log & Configuration Disclosure. |
Information Disclosure |
bobrov |
High |
2019-09-30 |
| Subdomain takeover of datacafe-cert.starbucks.com |
Privilege Escalation |
parzel |
High |
2019-08-28 |
| Subdomain takeover of d02-1-ag.productioncontroller.starbucks.com |
Privilege Escalation |
mindtrick |
High |
2019-08-15 |
| SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database |
SQL Injection |
spaceraccoon |
Critical |
2019-08-06 |
| SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database |
SQL Injection |
spaceraccoon |
Critical |
2019-08-06 |
| SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database |
SQL Injection |
spaceraccoon |
Critical |
2019-08-06 |
| Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice |
SQL Injection |
geek_jeremy |
Critical |
2019-07-23 |
| Blind SQL Injection on starbucks.com.gt and WAF Bypass :* |
SQL Injection |
d3417_ |
High |
2019-06-19 |
| PHPinfo page |
Information Disclosure |
linkks |
Low |
2019-06-12 |
| Subdomain takeover of mydailydev.starbucks.com |
Externally Controlled Reference to a Resource in Another Sphere |
0xpatrik |
High |
2019-05-22 |
| RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/ |
Code Injection |
spaceraccoon |
Critical |
2019-04-10 |
| Reflected Cross site Scripting (XSS) on www.starbucks.com |
Cross-site Scripting (XSS) - Reflected |
cujanovic |
Medium |
2019-03-08 |
| Bug in GraphQL and API integration leads to limited user address disclosure |
Improper Access Control - Generic |
loxiran |
High |
2019-03-08 |
| Unauthorized access to a system used for CI/CD processes |
Improper Authentication - Generic |
k3m |
High |
2018-11-01 |
| Sidekiq web UI (Ruby background processing) accessible unauthenticated via https://gift-test.starbucks.co.jp/sidekiq/busy |
Improper Access Control - Generic |
jackds |
Medium |
2018-10-24 |
| DVR default username and password |
None supplied |
radoooz |
Medium |
2018-10-16 |
| Backup Source Code Detected |
None supplied |
linkks |
Medium |
2018-09-22 |
| Information Leak - Github - JMS Information |
Information Disclosure |
peuch |
High |
2018-08-16 |
| Subdomain takeover on wfmnarptpc.starbucks.com |
Privilege Escalation |
0xpatrik |
High |
2018-08-09 |
| svcardproxydevus.starbucks.com Subdomain take over |
Improper Access Control - Generic |
txt3rob |
High |
2018-07-23 |
| Subdomain takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com |
Privilege Escalation |
blurbdust |
Critical |
2018-07-23 |
| Able to reset other user's password in https://card.starbucks.com.sg/ |
Improper Authentication - Generic |
qwacsawd |
Medium |
2018-07-23 |
| Able to purchase a gift card with any amount |
Insecure Direct Object Reference (IDOR) |
qwacsawd |
High |
2018-07-20 |
| Subdomain takeover on svcgatewayus.starbucks.com |
Privilege Escalation |
0xpatrik |
Critical |
2018-06-25 |
| Host header injection/redirection via newsletter signup |
None supplied |
b3nac |
Low |
2018-06-09 |
| Unauthorized access to jiratest.starbucks.com |
Improper Authentication - Generic |
damian89 |
Critical |
2018-05-30 |
| XSS on https://www.starbucks.co.uk (can lead to credit card theft) (/shop/paymentmethod) |
Cross-site Scripting (XSS) - Generic |
bayotop |
High |
2018-05-22 |
| Leaking sensitive files on Github leads to internal files (python scripts,SQL files) |
Information Disclosure |
xsam |
Critical |
2018-05-17 |
| Subdomain takeover on developer.openapi.starbucks.com |
Improper Access Control - Generic |
dpgribkov |
High |
2018-02-17 |
| SQL injection in partner id field on https://www.teavana.com (Sign-up form) |
SQL Injection |
bigbug |
Medium |
2018-01-23 |
| [stagecafrstore.starbucks.com] CRLF Injection, XSS |
Cross-site Scripting (XSS) - Generic |
bobrov |
Low |
2018-01-22 |
| Multiple Subdomain takeovers via unclaimed instances |
Privilege Escalation |
benoculars |
High |
2017-12-04 |
| DOM-based XSS in store.starbucks.co.uk on IE 11 |
Cross-site Scripting (XSS) - DOM |
albinowax |
Low |
2017-11-03 |
| CSRF in Report Lost or Stolen Page https://www.starbucks.com/account/card |
Cross-Site Request Forgery (CSRF) |
darwinks |
Medium |
2017-09-25 |
| Possible SOP bypass in www.starbucks.com due to insecure crossdomain.xml |
Cross-Site Request Forgery (CSRF) |
ghjfgjggfdfhfgsdfssdf |
High |
2017-09-23 |
| Possible subdomain takeover at openapi.starbucks.com |
None supplied |
benoculars |
High |
2017-08-15 |
| csrf blogs.starbucks.com |
Cross-Site Request Forgery (CSRF) |
w2w |
None |
2017-08-15 |
| Unable to register in starbucks IN app |
Denial of Service |
ashishag29 |
Low |
2017-08-15 |
| Unable to register in starbucks app |
Weak Cryptography for Passwords |
ashishag29 |
Medium |
2017-08-15 |
| out of date disqus shortname usage in the web app source code |
Violation of Secure Design Principles |
hiorws |
Critical |
2017-08-12 |
| Full Api Access and Run All Functions via Starbucks App |
Improper Authentication - Generic |
ynsy |
Medium |
2017-08-06 |
| [connect.teavana.com] Open Redirect and abuse of connect.teavana.com |
Open Redirect |
rbcafe |
Medium |
2017-07-27 |
| Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key= |
Cross-site Scripting (XSS) - Generic |
an0n-j |
Medium |
2017-07-25 |
| Lack of Controls Allowing for Card and PIN Enumeration Leading to Fraud |
None supplied |
kylecolson |
High |
2017-07-01 |
| Stored XSS in comments on https://www.starbucks.co.uk/blog/* |
Cross-site Scripting (XSS) - Stored |
bayotop |
High |
2017-06-27 |
| Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com) |
Cross-site Scripting (XSS) - Generic |
inhibitor181 |
Medium |
2017-06-14 |
| Reflected XSS on teavana.com (Locale-Change) |
Cross-site Scripting (XSS) - Generic |
inhibitor181 |
Medium |
2017-06-09 |
| CSRF: add item to victim's cart automatically (starbucks.com - updatecart) |
Cross-Site Request Forgery (CSRF) |
bughunterboy |
Medium |
2017-06-02 |
| Stored XSS in Adress Book (starbucks.com/account/profile) |
Cross-site Scripting (XSS) - Generic |
myst404 |
Low |
2017-05-31 |
| Java Deserialization RCE via JBoss on card.starbucks.in |
Code Injection |
joaomatosf |
Critical |
2017-05-22 |
| Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites |
Cross-Site Request Forgery (CSRF) |
inhibitor181 |
High |
2017-05-15 |
| CSRF vulnerability in saving payment card on store.starbucks.com (COBilling -AddCreditCard) |
Cross-Site Request Forgery (CSRF) |
codequick |
Low |
2017-05-15 |
| DOM XSS on teavana.com via "pr_zip_location" parameter |
Cross-site Scripting (XSS) - Generic |
nirvana-msu |
Medium |
2017-05-03 |
| [newscdn.starbucks.com] CRLF Injection, XSS |
HTTP Response Splitting |
bobrov |
Medium |
2017-03-09 |
| SAP Server - default credentials enabled |
Improper Authentication - Generic |
ak1t4 |
Medium |
2017-03-01 |
| Brute Force Attack against PIN on Card History Page Could Lead to Card Information Discovery / Fraud |
Violation of Secure Design Principles |
kylecolson |
None |
2017-03-01 |
| Time-based Blind SQLi on news.starbucks.com |
SQL Injection |
toctou |
High |
2017-02-24 |
| Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments) |
Cross-site Scripting (XSS) - Generic |
faisalahmed |
Medium |
2017-02-13 |
| CSRF exploit | Adding/Editing comment of wishlist items (teavana.com - Wishlist-Comments) |
Cross-Site Request Forgery (CSRF) |
faisalahmed |
Medium |
2017-02-13 |
| Exposed Unencrypted Telnet Endpoint |
None supplied |
zephrfish |
Low |
2017-02-08 |
| Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on card.starbucks.in |
Code Injection |
meals |
No rating |
2017-02-03 |
| Starbucks.com is reachable via ip address thus possible to link any doamin to Starbucks. |
Cryptographic Issues - Generic |
cj862530 |
Medium |
2017-01-27 |
| Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions. |
Improper Authentication - Generic |
meals |
No rating |
2017-01-27 |
| http://digital.starbucks.com/ Creation of Google G Suite Account on Behalf of starbucks. |
Information Disclosure |
babayaga_ |
Low |
2017-01-17 |
| Persistent XSS in www.starbucks.com |
Cross-site Scripting (XSS) - Generic |
ddworken |
High |
2017-01-17 |
| Create New User Whilst Logged On |
Open Redirect |
id-is-vulnerable |
None |
2017-01-13 |
| Parameter Manipulation allowed for viewing of other user’s teavana.com orders |
Improper Authentication - Generic |
meals |
No rating |
2017-01-13 |
| Dom Based Xss DIV.innerHTML parameters store.starbucks* |
Cross-site Scripting (XSS) - Generic |
e3xpl0it |
Low |
2017-01-12 |
| Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record |
Privilege Escalation |
dpgribkov |
High |
2016-12-19 |
| www.starbucks.co.uk Reflected XSS via utm_source parameter |
Cross-site Scripting (XSS) - Generic |
meals |
No rating |
2016-12-19 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles