Hacker News new | past | comments | ask | show | jobs | submit login

Reminds me of the guy who found the starbucks gift card exploit and decided to test it live. That got him the lawsuit.



He never 'got a lawsuit.' Instead, he got some comments from the contact to whom he reported it that criticized his approach. It's not even clear just who this person was. It seems he had trouble locating a contact to report security issues to, so this may as well have just been a low level support rep who was in over his head and saying things he shouldn't have.

"The hardest part - responsible disclosure. Support guy honestly answered there’s absolutely no way to get in touch with technical department and he’s sorry I feel this way. Emailing InformationSecurityServices@starbucks.com on March 23 was futile (and it only was answered on Apr 29). After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days.

The unpleasant part is a guy from Starbucks calling me with nothing like “thanks” but mentioning “fraud” and “malicious actions” instead. Sweet!" http://sakurity.com/blog/2015/05/21/starbucks.html


Only way to be sure it exists is to test it live.


That is rarely true, and also besides the point: if you report the flaw and they acknowledge it, what does verification matter?


Not only did he test it live, but he used the gift card to purchase items. Could have easily walked in and checked the balance without purchasing anything.


To be fair, his purchase was relatively inexpensive, did not significantly disrupt other customers or otherwise compromise the system, and served to test that the balance was actually available, not just displayed.

Just deduct the price of the sandwiches from the bounty reward?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: