Starbucks API Key Exposed on GitHub Leads to Critical JumpCloud Breach

Due to a mistake by Starbucks developers, an API key was exposed in a public GitHub repository, enabling attackers to access internal systems and modify authorized user lists.

The vulnerability was classified as Critical because the key grants access to Starbucks' JumpCloud API.

Impact

Bug bounty hunter Vinoth Kumar discovered the key in the public repository and disclosed it through HackerOne after verification. JumpCloud is an Active Directory management platform marketed as an Azure AD alternative, offering user management, single sign‑on (SSO), and LDAP services.

Kumar reported the issue on October 17; three weeks later Starbucks responded, describing the breach as involving a "large amount of sensitive information" and offering a bounty.

Starbucks quickly remedied the problem, deleting the repository and rotating the API key by October 21. The response took longer than usual because the company needed to fully understand the severity and implement comprehensive remediation.

Kumar also provided proof‑of‑concept code demonstrating the potential attacks, which included querying internal systems, controlling the Amazon Web Services (AWS) account, executing commands on target systems, and adding or removing users.

Bounty

After negotiations, the researcher received a $4,000 bounty, the highest Starbucks has ever paid for a vulnerability; typical rewards range from $250 to $375.

Since launching its bug bounty program in 2016, Starbucks has handled 834 vulnerability reports, processing 369 in the past three months and distributing a total of $40,000 in rewards.

The previous major Starbucks vulnerability involved a sub‑domain takeover of an abandoned Azure cloud host, for which the company paid a $2,000 bounty.

This article was compiled and translated by WhiteHatHub and does not represent any views or positions of WhiteHatHub.
Source: https://www.bleepingcomputer.com/news/security/starbucks-devs-leave-api-key-in-github-public-repo/