starbucks API exposed

Developers at Starbucks exposed an API key that might be used by an attacker to access internal IT systems and manipulate the list of authorized users.

The issue has been rated as ‘critical’ because it could allow attackers to execute commands on systems, add or remove users which have access to internal systems, and potentially AWS account takeover.

The key was found in a public GitHub repository.

Serious impacts ignored

Vulnerability hunter Vinoth Kumar found the key in a public GitHub repository and disclosed it responsibly through the HackerOne vulnerability coordination and bug bounty platform.