No good deed goes unpunished as Egor Homakov learned when he discovered a free Starbucks gift card reloading glitch, which allowed him to generate unlimited funds on the cards. Homakov is part of a security consultancy and upon notifying Starbucks of the glitch, both sides are left with bitter feelings that did not come for the dregs of Starbucks coffee.
Reported by tech news service Ars Technica, Egor Homakov is part of a company called Security, a Hong Kong based IT firm that specializes in auditing corporate sites for vulnerabilities and potential hacks such as the free Starbucks gift card reloading glitch Homoakov found. Homakov found a weakness in the Starbucks network known as a race condition, which has since been fixed. Simply put, a race condition is when the instructions in a computer program, network, etc are not received in the intended order which can cause a program to malfunction creating loopholes for hackers.
He started with three $5 gift cards and was able to transfer the $5 from card A to card B but with the added benefit of the transfer happening twice, giving Homakov a total of $20 instead of $15. He tested his free gift card reloading hack by visiting a San Francisco Starbucks store. He used two of the cards to make a $16.70 purchase with $1.70 of that money coming from the illegal tender on his gift cards. Homakov deposited another $10 from his own funds so he would not put him away for $1.70.
The rebuke for his actions came when he attempted to contact Starbucks to notify them of the free gift card reloading exploit. He wrote a post on his blog.
“The hardest part – responsible disclosure. Support guy honestly answered there’s absolutely no way to get in touch with technical department and he’s sorry I feel this way. Emailing InformationSecurityServices@starbucks.com on March 23 was futile (and it only was answered on Apr 29). After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days.”
“The unpleasant part is a guy from Starbucks calling me with nothing like “thanks” but mentioning “fraud” and “malicious actions” instead. Sweet!”
Both parties have something to learn from this experience. Starbucks is not a stranger to odd social interactions both with customers and outside contractors. The company recently pulled a social pet project called #RaceTogether which has been covered elsewhere on the Inquisitr where baristas were encouraged to talk about racial issues with customers while serving their coffee. The idea was canned very quickly.
Mr. Homakov did commit fraud, even it was a paltry $1.70. While the question of, “did the ends justify the means?” can be debated, it does not change the fact that he did commit fraud against Starbucks. When speaking to Ars Technica about the interaction, he claimed he was entitled to a $1,000 bug bounty reward based off an earlier phone call with Starbucks. Bounties on exploits such as the free Starbucks gift card reloading scheme are common practice amongst large corporations, but he was not contracted by Starbucks nor did he seek them out prior to his project.
[Image Source | NorGal / Shutterstock.com]