Starbucks Gift CardsA flaw in Starbucks’ gift card system allowed users to transfer money between cards even when there was no money to be transferred, according to security researcher Egor Homakov.

Homakov bought three Starbucks gifts cards and loaded $5 onto each of them. He then exploited a “race condition” vulnerability to transfer the entire balance of one card to both of the other gift cards at the same time, resulting in an extra $5.

“It’s very common bug for websites with balances, vouchers or other limited resources (mostly money),” Homakov wrote in a blog post on Sakurity.

He ended up with $20 across two cards after a $15 investment, which he verified were actually credited with that amount by using them to buy $16.70 worth of Starbucks items. He reloaded money onto the cards after the purchase to “make sure the US justice system will not put us in jail over $1.70.”

Homakov tried to report the bug to Starbucks in late March, but it took 10 days for a patch to the system. “The unpleasant part is a guy from Starbucks calling me with nothing like ‘thanks’ but mentioning ‘fraud’ and ‘malicious actions’ instead,” Homakov wrote in his post.

Update Starbucks says in a statement, “Like all major retailers, Starbucks has safeguards in place to constantly monitor for fraudulent activity. After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication.”

This bug was potentially a more serious risk to Starbucks than the one reported earlier this month, where hackers with rewards members’ passwords could empty bank accounts of people who used the cards’ auto-reload feature.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.