Race Condition Exploit in Starbucks Gift Cards

A researcher was able to steal money from Starbucks by exploiting a race condition in its gift card value-transfer protocol. Basically, by initiating two identical web transfers at once, he was able to trick the system into recording them both. Normally, you could take a $5 gift card and move that money to another $5 gift card, leaving you with an empty gift card and a $10 gift card. He was able to duplicate the transfer, giving him an empty gift card and a $15 gift card.

Race-condition attacks are unreliable and it took him a bunch of tries to get it right, but there’s no reason to believe that he couldn’t have kept doing this forever.

Unfortunately, there was really no one at Starbucks he could tell this to:

The hardest part—responsible disclosure. Support guy honestly answered there’s absolutely no way to get in touch with technical department and he’s sorry I feel this way. Emailing InformationSecurityServices@starbucks.com on March 23 was futile (and it only was answered on Apr 29). After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days.

The unpleasant part is a guy from Starbucks calling me with nothing like “thanks” but mentioning “fraud” and “malicious actions” instead. Sweet!

A little more from BBC News:

A spokeswoman for Starbucks told BBC News: “After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication.”

The company did not answer questions about its response to Mr Homakov.

More info.

Tags: disclosure, exploits, fraud, hacking, vulnerabilities

Posted on May 26, 2015 at 4:51 PM • 66 Comments

Comments

Anura • May 26, 2015 5:26 PM

Easily avoided through proper use of database transactions. My experience is that too many developers prefer to avoid multi-statement transactions because they lead to problems they don’t know how to deal with. For example, instead of figuring out how to deal with deadlocks, they execute each statement as a different transaction.

In Microsoft SQL Server, developers are so used to using NOLOCK on all of their selects, that they even do it inside those transactions. Oracle and PostgreSQL don’t block on reads and instead maintain snapshots, so if one transaction is in progress and updates a row in a table and you attempt to read the data from that row in another, it won’t block but instead give the old data. This is an optional feature in SQL Server, but it can be worse in some ways, and both can lead to the problem seen above.

When doing things like placing orders, when you are really concerned about things like making sure inventory is properly tracked or gift card balance is adhered to, you need to create the order in its entirely as a single transaction using either Repeatable Read (if transaction A reads a row, then transaction B cannot modify that row until transaction A completes) or Serializable (if transaction A reads a range of rows, transaction B cannot modify those rows or insert a row that would fall into that range until transaction A completes).

Daniel • May 26, 2015 6:18 PM

So the real question is when are security researchers going to get smart and instead of telling an exposed company of their financial vulnerabilities, steal instead? Of course, this question presumes that they are not doing this already. But I just wonder how long this thankless task can go on. Turning this into a race where the most intelligent person wins strikes me as a long run recipe for disaster for American companies–smart people can steal wealth a whole hell of a lot faster than American companies can generate it.

Nick P • May 26, 2015 6:21 PM

StackOverflow has good advice about avoiding such things here. Deadlocks that can appear can be detected statically. Such are for companies that actually care (eg outside of a Starbucks).

Johan • May 26, 2015 6:54 PM

“Easily avoided through proper use of database transactions”

Everything is easily avoided when you’re an expert in everything.

Jayson • May 26, 2015 6:57 PM

Not sure if calling it “fraud” is correct, or even labeling it an attack. Also, there is no telling how much money Starbucks gave away from people who simply double-clicked the submit button.

The company should be liable for their own losses in cases of incompetence like this.

Chris • May 26, 2015 7:20 PM

“Everything is easily avoided when you’re an expert in everything.”

Yay, praise ignorance! Because it is too hard to learn the tool that you’re working with. Anybody with a CS course would have learned that in their third day on databases 101.

Thoth • May 26, 2015 7:27 PM

Put it in simple, people don’t like pain and don’t like to learn from pain but pain is unavoidable for mistakes.

What Starbucks should do is apologize to the researcher for the bad feelings and make the Starbucks employee apologize on the company’s behalf as well and to hand out the bounty.

The researcher should also realize that bug hunting is like touching the raw nerves of a business and that is a common reaction and keep the cool. Give Starbucks a 30 days respond period before publicizing. All conversations with Starbucks and the issue should also be disclosed publicly to allow public to view the actions (nothing up my sleeves).

It is a shame that big companies like Starbucks should respond in such a strong and inelegant manner considering they had a bug hunting bounty program thus explicitly inviting people to do bug hunting (asking for public penetration testing in a way).

It is hard to walk along the bright side when you know too much 😀 .

What should the standards of security disclosures be ?

Daniel • May 26, 2015 7:33 PM

I made the mistake of coming back and clicking through to read the comments in linked sites.

Let’s be clear here–it’s not a question of ethics or legality or the ends justifying the means; it’s a question of the ability to do hacking at all. If the researcher didn’t commit a crime then he would have no evidence that the hack actually worked. If you don’t know the hack actually works you haven’t hacked, at best you’ve published a journal article somewhere.

The idea that Starbucks has a right to be upset because they didn’t request s security audit would be funny if it weren’t so ludicrous. That’s the difference between a actual hack and an intellectual exercise.

Every American should be worried about this nancy boy attitude that hacking is ok only if it doesn’t do any harm. Have we forgotten Sony already? The Chinese and the Russians aren’t going to be so nice. They aren’t going to ask Starbucks if they want a security audit any more than NK asked Sony if it wanted one.

In a sane world the task of exposing security vulnerabilities would be seen as a social /duty/ in an era of cyber warfare.

Petter • May 26, 2015 7:35 PM

I kind of did the same with a giftcard for a magazine subscription.

When I ordered the subscription and payed with the giftcard code for my daughter, I clicked on submit and notice a non-respons after a second so I clicked again and it went through. I got a single confirmation email and I was happy with that.

A couple of weeks later she received two copies of the magazine. This continued every month for a year.

She was happy as she gave the extra mag to a friend of hers. 🙂

rgaff • May 26, 2015 8:02 PM

@ Petter

Welp. You just confessed to a crime (a felony if you live in my country). Law enforcement read this, and watch every internet connection, worldwide, looking for such confessions. So see you behind bars.

This is serious business folks. What’s happening is not moral nor right, but it’s serious. And it’s real. And it’s “legal” if all you care about is legality and not right and wrong.

Thoth • May 26, 2015 8:55 PM

@all
Should writing bad codes and bad security mistakes be some sort of liable ? Most organisations get away with pointing fingers and sueing security researchers or attackers but they themselves walk away freely getting paid (lawsuit) for the mistakes they made which harm their customer-base. Their customers are not able to do much other than deciding to continue the service or not and even if the service were to be legally discontinued, their data would always be recorded for posterity.

35y7ur • May 27, 2015 12:15 AM

@rgaff, all

I’ve read so many times on this site that law enforcement actively read this blog’s comments. I’ve read comments that there are even law enforcement people or government agents actively trying to influence the discussions here. Is this just speculation? Has there been any real evidence of LE/Government active surveillance of this blog or of people because they commented here? Or are we all just paranoid? Or both?!

Curious • May 27, 2015 1:57 AM

@35y7ur

I remember there was a woman and a man that sort of latched onto the public wikileaks’ sort of encrypted/anonymized chat some time ago, before Manning was a familiar name, the two of them had went onto the wikileaks chat and announced their talkshow iirc called “Nightly Canoos” and sort of dragged a few people over to their website and their chat. They seemed intelligent and was well suited for talking to people, however after a while it seemed to me as if they eventually opined in a rather retarded way, and just like with some a wikileaks forum with questionable content, it all seemed like a repellent to anyone being remotely intellectual. When the topic of a particular government agency came up in their chat, the male replied something like “you can never know”. At that point I thought it was likely that they were working for some three letter agency. The male also claimed that they were good at spotting people working for the government.

I remember being asked by a stranger on the wikileaks chat iteself if I owned a firearm and if I was apart of an organization, answering no to both. I’ve always thought it was the FBI that asked that question, because it wouldn’t make sense if anyone working for Wikileaks went around aksing such questions.

JonKnowsNothing • May 27, 2015 2:05 AM

@35y7ur • May 27, 2015 12:15 AM

I’ve read so many times on this site that law enforcement actively read this blog’s comments. I’ve read comments that there are even law enforcement people or government agents actively trying to influence the discussions here. Is this just speculation? Has there been any real evidence of LE/Government active surveillance of this blog or of people because they commented here? Or are we all just paranoid? Or both?!

What sort of proof would you like?

Have you read anything recently that would suggest that governments around the world have absolutely no interest in crypto, data encryption, privacy issues or that they have abandoned the “Entire Haystack” philosophy of surveillance?

What sort of evidence would you like?

In the USA and UK, Australia, New Zealand and Canada no evidence is allowed to be presented in public, no evidence is allow to be presented to the accused or their legal counsel, reporting on any “secret” evidence can and does result in long prison sentences and the secret courts keep right on truckin’. No one has “STANDING” in the secret surveillance courts of US except the US Government and only a few selected groups within that frame work can see, read, hear the evidence. Even US Senators cannot take notes about such evidence or other proofs hidden in a secret high security room inside the Senate building.

Millions of people are on lists of all sorts and from all sorts of governments around the world. Certainly at least one of those TASKS this blog and the readers or posters, if not more.

All you have to do is just LOOK to be ON A LIST somewhere.

rgaff • May 27, 2015 2:14 AM

@ 35y7ur

It’s a little of all the above.

From the Snowden docs, we KNOW that the US Government monitors all activity on the net. The authorities lie and repeat phrases like “Nobody is READING your email” (Obama quote)… trying to trick us into thinking they’re not monitoring… but they ARE monitoring, and we are CERTAIN of this, in the sense that they’re monitoring for key words with computers watching, then when the computer algorithms flag something, humans take a closer look and investigate. It works like this: if I say, for example, “bomb” and “white house” in the same sentence, congratulations, I am now under investigation for saying that example, and so are you all for reading it! Have fun! To be fair, this particular example is ASSUMED, we don’t know their exact key words, but we do KNOW that this is how it works.
From Snowden docs and others we KNOW that they specifically target system administrators and in general congregations of researchers, and also dissent. Well, we have an obvious nexus of all three here, so then we ASSUME Schneier’s blog is targeted too, not just caught in the general net.
From https://weakdh.org/sysadmin.html we KNOW that Schneier’s site in particular is susceptible to the logjam attack, and uses a weak commonly shared 1024 bit key. Go ahead, put in “schneier.com” into the blank there and see for yourself. We must ASSUME that the NSA uses this and has for years to break encryption and monitor who says what when.
We do NOT KNOW specifically of people being hauled off to the gulag from this blog, but how would we? Would they log on from prison and let us know? There have been prominent knowledgeable people who just stopped commenting, and we don’t know why…
We do KNOW in general from many sources, that many governments and some other groups are using hired people to post comment spam on web sites in general to try to influence people’s opinions. We do NOT KNOW for sure if it’s happening here in particular, but some of the commenters do fit the profile quite starkly. It quacks like a duck. Search for “troll” and “shill” to find more info about this, here and other places.
Of course there is some healthy paranoia mixed in as well. A little bit doesn’t make you insane, it keeps you safe(er).

Did I miss any? The speculation I’ve seen is not without any evidence.

Curious • May 27, 2015 3:04 AM

I wonder, at what point would Starbucks start to notice that something is off if people pull out more money than they would normally?

I also wonder, and feel a little silly about it, if a glitch like this could be used by the company’s own people to siphon out alot of money, and maybe even worse, if there somehow wouldn’t be any records to prove this.

Winter • May 27, 2015 3:12 AM

@rgaff
“6. Of course there is some healthy paranoia mixed in as well. A little bit doesn’t make you insane, it keeps you safe(er).”

But you should keep your paranoia practical.

In the grand scheme of things, most of the people here are uninteresting to any government agency. Maybe a few people here could be of interest to be followed online. Even less could draw any action towards themselves. The people likely to be targeted will almost certainly suspect this already and behave accordingly.

What is more interesting to government agencies is following the evolution of popular opinion in blogs like this and trying to steer it. For that we have the tried-and-tested AstroTurf campaign organizations. This is sheer propaganda work and unlikely to involve any direct cloak and dagger activities.

Obviously, if you record all online activity, you will record what is happening on this blog too. But if you want to prevent “them” from keeping a record of your opinions, it seems the only resolve is to not express your opinions.

Which leads us to the question of the worth of unexpressed opinions.

tyr • May 27, 2015 3:32 AM

@rgaff

That looks like a good summary. If you assume a totalitarian
government ready to grind every percieved opposition to fine
powder then everybody here is in deep doo.

If the purpose is to keep an eye on the pulse without the
usual noise level this is a good place to keep an eye on.
I’m sure the government would be a lot happier if we were
not monitoring their actions and calling them out for the
worst of it. If you are paranoid about it hang out on FB
and enter their database records with your own material
while they lounge around being useless. You’ll only be
off the record until you say or do something the machine
sorter dislikes. I’m sure there are a few government types
who are shovelling shit against the tide trying to do the
job they are paid for but experience says they aren’t all
that common among the useless time serving grabtailling
weasels who infest governments.

If you fear “the man” you do the man’s work for him but
it does neither of you any good in the long run. It just
makes you insane with your own phantom worries. This is
not a good place to be stupid which makes it a rarity
on the moderne version of the Net.

You might want to look up Don Lancasters definition of
a Granfalloon since it covers most government institutions
wonderfully well.

fajensen • May 27, 2015 3:59 AM

Lesson to security researchers:

Don’t Bother helping our corporate welfare queens, they don’t want your help. They prefer a “shoot the messenger”-approach to problem solving.

If that’s how it is, then: Don’t be that messenger, let others carry the mantle by releasing the hack in the wild on an anonymous leak service. Time & Circumstances – a.k.a. The Market will then sort out the problem and appropriate punishment.

CouldntPossiblyComment • May 27, 2015 4:12 AM

I don’t often comment on Bruce’s blog as I often feel like I’m out of my depth, but as a developer who tries to take security seriously, I think the experts here are missing the obvious. It’s hard enough to get developers & managers as a group to acknowledge the existence of the problem, let alone be diligent about it.

More worrying is the schizophrenia of these big companies that run Bugcrowd bounty programs (likely from Engineering) and then chastise the security researchers over fraud (in this case, from InfoSec, rather than Legal). To absolutely prove out a bug in a payment system, you likely do have take an action that looks like fraud. The rest of the debate is into the murky grounds of permission (explicit, implicit by bug bounty etc.)

Could the researcher have handled it better? Potentially. A bug bounty report of the initial finding could have been enough to get permission from Starbucks to try the real exploit. Even so, the response by Starbucks’ InfoSec team is over the top, and caused a news story where none otherwise would have existed. From Starbucks’ perspective, that’s the real damage, and so the blame lies there. Their InfoSec team needs some serious re-training on how to handle themselves with third parties. Typical IT-stereotype arrogance.

Aside: Anura’s comment about transactions rings totally true for me; I’ve lost count of the times I’ve lost that battle…

I can easily imagine the conversation when developing the gift card system went something like this (I don’t work at Starbucks and this is hypothetical, but I’ve heard similar statements in companies):

We’ve connected up the gift card system to payment
Anyone do a security review?
Relax, nobody’s going to target this, and if they do, we’ll fix it then
Did that component go through code review?
Nah, I put it together during prototyping, my code is fine, trust me

Mentioning any of the above to a manager:

I really think we should do a security review
Yeah, but we need to get the system released, we got given a deadline and we have to hit it. Can you do the review after we’ve put it into production?
Sure, but you know people could try to exploit it in the meantime?
Yeah, but that’s what we have lawyers and fraud teams for. Besides, we got hacked before, it’s not like we can keep the determined attackers out anyway.
What about all the security defects from static analysis?
Well we really only have time to fix the critical ones, can you write up how we can defer the rest?
But the CISO made this big speech about how we should take security seriously!
Well, I know, but the product manager’s goals aren’t linked to that, and he drives our priorities.

Talk about an uphill struggle to even get the problem acknowledged…

Thoth • May 27, 2015 4:44 AM

@all

Standardization of Public Bug Hunt Request

ABOUT:
There are ambiguity of whether a website owner is serious with his/her/it’s bug hunt’s program. An unauthenticated statement on a website may or may not be used to represent the website owner’s intentions. To lessen ambiguity, I would like to propose a standard format for website owners serious with their bug hunt programs to use this format as a digital proof of authorization for security researches to execute bug hunting on their websites. A standardized and signed format for authorizing bug hunts should be used to digitally express intentions to allow bug hunts.

PRE-REQUISITE:
Website must have TLS 1.0 and above secured with an RSA keypair of at least 2048 bits or more, 256 bits ECC key or more and uses symmetric keys of 128 bits or more and secure hashing of either SHA1, SHA2 or SHA3 families. Diffie-Hellman keys is out of scope as this is not fully regarding TLS socket implementations.

WEBSERVER CONFIGURATION:
1.) The base URL for the bug hunting URL should always be “https://domain-name/bughunt”.

2.) The authorization file should be in XML format and called “bughunt.xml”.

3.) The authorization file should be stored in “https://domain-name/bughunt/bughunt.xml”.

4.) The format should be as follows with the replacement of curly braces to angle braces:

{bughunt}
{allow status=”true/false” fromdate=”ddmmyyyy” todate=”ddmmyyyy” hash=”sha1sha224/sha256/sha384/sha512/sha3-ss4/sha3-256/sha3-384/sha3-512″ /}
{sign}
/*
**Base64 encoding of hashed data of the {allow/} tag as specified and signed **with the TLS private key of the website.
*/
{/sign}
{/bughunt}

5.) The XML form above is signed with the website’s private key and placed on the website so that anyone wanting to mount a bug hunt can retrieve the public key from the TLS certificate of the website and proof the authenticity of the public bug hunt request before mounting one.

rgaff • May 27, 2015 5:05 AM

@Winter

“most of the people here are uninteresting to any government agency.”

A very tired old government platitude with a severe logic hole: If most people are so uninteresting, why then is the government recording and scanning them all? Obviously everyone IS VERY MUCH SO interesting enough, for the government to have the program whereby they apply machine algorithms watching everything they say, do, call, etc! We know they do this. It is fact, backed up by the docs, not paranoia. We just don’t know for sure which key words and algorithms they employ, though some leakage out of Germany seems kind of shocking. To be clear: this is not the targeted part, this is the mass non-targeted scoop I’m referring to. But… then it becomes targeted once a “hit” is found. Not based on any suspicion of guilt, but based upon some key word(s) uttered! But you seem to “get” all this, because then you say:

“if you want to prevent “them” from keeping a record of your opinions, it seems the only resolve is to not express your opinions.”

This is true. But I refuse to do that, because that’s letting them “win”…. 🙂 Self-censorship is giving up and letting the world dissolve into totalitarianism. Refusing to self-censor is standing up to it and fighting it. “Give me liberty or give me death,” is how someone once put it!

@ tyr

“That looks like a good summary. If you assume a totalitarian
government ready to grind every percieved opposition to fine
powder then everybody here is in deep doo.”

Is there any other way we should assume government to be? Government is made up of people, and people are inherently self serving, not just altruistically seeking the benefit of everyone else. We know this is true, because otherwise totalitarian dictatorships would be utopian societies. That’s why the founding fathers of the USA tried to set up “checks and balances” so that the inherently self serving people and branches would hopefully balance out and be ok in the middle, benefiting all… and that’s worked… but it’s unstable over the long run, because the foundation, people, is unstable. It keeps listing more and more toward a plunge into the depths as time goes on.

The solution is for each of us, you, me, everyone to keep watching and looking for a way to be different somehow, and never give up hope. Because as bad as the world is, there must be hope, or we’d all be much worse off already. But it starts with each of us ourselves as individuals. Not as government, as individual people.

Winter • May 27, 2015 5:23 AM

@rgaff
“Obviously everyone IS VERY MUCH SO interesting enough, for the government to have the program whereby they apply machine algorithms watching everything they say, do, call, etc!”

If everyone is interesting, no one is. That is in the meaning of the word “interesting”.

The “Man” will hoover up everything they can, but all bits together are just noise. They only become information when placed in a definite context.

So most of “us” are currently not interesting enough to warrant some definite action. Some of us might attract personalized attention, but these unfortunate souls will probably know that and prepare.

For all I know, I for one, might have been under targeted surveillance. I even know that I am in a class of people for which our local Secret Service will have compiled a file (a purely formal bureaucratic affair). But I have never noticed anything that might suggest “They” have acted on any surveillance, if it took place at all.

But I am convinced that a lot of my online activities have been recorded somewhere for later scrutiny. And I am totally against these practices.

Richard H • May 27, 2015 8:15 AM

@Thoth

fromdate=”ddmmyyyy”

If you’re going to propose a standard, it’s probably a good idea to use existing standards where possible, to avoid misinterpretation. For instance, you might try the ISO 8601 date format. Also, signatures in XML documents are often problematic because of canonicalisation issues – referencing existing standards can save you a lot of grief here. And it wouldn’t do any harm to give your XML a namespace URI and a formal schema.

HTH.

Czerno • May 27, 2015 9:10 AM

@Rgaff : regarding your 3rd point,

“3. … we KNOW that Schneier’s site in particular is susceptible to the logjam attack, and uses a weak commonly shared 1024 bit key.

We must ASSUME that the NSA uses this and has for years to break encryption and monitor who says what when.”

They may be using that, but what would that
give them since the blog and its comment, although the site is using https transport, is in the clear ? AFAIK there are no site specific passwords or other sensible data that ordinary users here can record or access.

Alright, that is not taking in account site owner and moderator passwords, personal files if any, etc, OK. I fully expect Bruce and any trusted collaborators to have sound password, and data encryption and protection, practices !

Zenzero • May 27, 2015 9:51 AM

@Czerno, @Rgaff

If you check the site (as you have), it is not using an ‘export DHE’ cipher suite, so is really only the fact it’s a commonly used 1024 DH group which is pinging the warning. Breaking that wouldn’t be trivial and so far no evidence to show it has been done. Also there’s nothing private on the public face of the server that they can’t just read anyway. So I would imagine it’s not a critical issue to this particular site.

Also, I’m sure @Bruce schneier, &moderator have regular maintenance of the server to allow for patching, general server maintenance where they will update the server against Logjam at that point.

Another point on Logjam, the NSA were quick to publically announce they had nothing to do with Heartbleed, but at least to my knowledge, have been deafeningly quiet about Logjam, makes you wonder…

Petrov • May 27, 2015 10:22 AM

Starbucks Has Information Security Like It Is 1999

That could not have been a worse message to send to the whole world. “We have no functional security team”. I also wonder if there is any security to their cards. But they have web applications, must have a large IT, large network, POS networks. They have had to have PCI compliance for much of this.

Zenzero • May 27, 2015 10:44 AM

@ Petrov

“They have had to have PCI compliance for much of this.”

There have been numerous examples recently and last year of PCI compliant corporations been compromised Ebay been a prime example as is Target.

PCI audits are broad overviews of system security standards and policies in place to cover each of the PCI standard points. “evidence” of these are assessed, with company documents and on site tours/meetings to see if, in the auditors opinion, the company passes the PCI standard.

In reality policies and standards are only some much paper and need to be carried out which many PCI compliant companies implement loosely. Also, it’s quite common for companies to overflow auditors with information and falsify evidence (training logs, monitoring logs, hardware destruction logs etc etc)

Add to this that the standard is quite old (mentions risk of memory scrapping but nothing more than it might be possible for example) and doesn’t adopt to security risks in their current form make it a relatively weak indicator of actual security stance, more an indicator of what the company would like if it had more time/people/money.

MikeA • May 27, 2015 10:55 AM

In regard to being “interesting” to the government, it’s important to remember that “the government” is not some single-minded entity with well-defined interests. Keep in mind “LoveInt” and flat out fraud by employees with access to the big pot of data soup.

On a related note, many companies just don’t want to hear about security issues. Adobe made it all but impossible for me to report when my single-use email (for registering one of their products) received porn-spam within twenty minutes of registration. One can assume some sort of malicious hacker cabal, or the more likely inside job. Companies like Adobe and Starbucks (and Target, Home Depot…), as well as DHS, have a lot of insiders.

JonKnowsNothing • May 27, 2015 11:21 AM

@35y7ur

Here I’ll fix the unknown variable for you, after this you can be 100% sure you are on THE BIG LIST.

Anwar al-Awlaki
http://en.wikipedia.org/wiki/Anwar_al-Awlaki

Samir Khan
http://en.wikipedia.org/wiki/Samir_Khan

Inspire</b
(get your own link if you dare to just LOOK. Warning: Don’t Do It.)

The NSA switchboard just lit up like a Christmas Tree and went into Overdrive.

The FBI is now looking CLOSELY at this posting and making notes.

You can expect a FBI informant plant to show up anytime now. The plant will be your best buddy but suggest you do some stuff that will net you 35years in supermax. If you don’t agree to what your new best buddy suggests, they will just doctor the 10101010101010 of the data, present selected bits to “those in charge” and mark EVERYTHING Secret/National Security Issue. You won’t get to see what or why or how they targeted you, just the next time you try to fly anywhere you will get THE special treatment. If you cross a border, remember that between the lines you are No Where and you have No Rights. They can and will detain you. If you get stopped in the proper jurisdiction no-mans-land it will be: Indefinitely.

Now you can be 100% positive you are a member of the club. No more worries.

Winter • May 27, 2015 11:37 AM

@JonKnowsNothing
Somehow, I cannot see how a person that needs Wikipedia to get information about these people could be in any way suspicious.

That is like expecting neo-nazis to flock around the Wikipedia entry about Adolf.

Also, I do not see the world’s TLA’s spending all their time on highschool kids “researching” their school papers.

Clive Robinson • May 27, 2015 12:10 PM

@ Winter,

Guess what… In the UK the newspapers and other press have issues with “jihaddi brides”, that is teenage girls disapearing via flights to other European countries and then being smuggled over borders to join ISIS etc.

Now as the press have issues with it the elected government has issues with it that fit right in with their political agenda (not sure which is the egg or the chicken).

The problem is that some of the J-brides are now activly recruiting via secureish comms channels, which means the authorities now have to take a step or two back down the recruitment chain.

Which means checking for certain page accesses to the likes of wiki and other “info-mercial” pages the recruiters use. Then using that as an indicator to follow up for other access or securish comms…

Does it work, I have no idea but that’s not the point, it ticks a political agenda tick box on the road to no civilian privacy in the electronic realm.

JTR • May 27, 2015 12:15 PM

I work with financial software. When my team and I was in a situation similar to the one this researcher was in, we went with our lawyer (this was not in the US, but I guess something similar can be done in the US). He advised us on a way to test the vulnerability without being liable for anything.

We went to a judge and told him about the situation, and made a deposit in the tribunal for the exact ammount we were going to substract.

That way it was proven beforehand that there was no bad intent, and no financial harm had been done. If the subject of our test dared to accuse us of fraud he could be accused of libel. If the test was not successful the judge would return the money to us.

The test was done and they took it very nicely when they were informed, but we were protected in case they wanted to act against us.

All of it was free, except for the lawyer consultation.

The lawyer explicitly stated that in case we substracted the money before going to the judge, we could go immediately afterwards and deposit the substracted money. This would prove that there was no bad intent as it was incidental, and the judge would inform the other party so they claimed the money and gave them the information needed to patch the vulnerability.

So in summary: ask a lawyer before doing something like this. (but maybe lawyers in the US are more expensive, I don’t know)

Winter • May 27, 2015 12:23 PM

@Clive
“The problem is that some of the J-brides are now activly recruiting via secureish comms channels, which means the authorities now have to take a step or two back down the recruitment chain.”

I heard these stories. It is also a problem in the Netherlands. These “kids” tend to be recruited over social media and online forums. I simply cannot see how Wikipedia could in any way help. If you go that way, do the meta-data thing on ISIS video clips or online forums. The real problem is that the hardcore recruits go off-line long before they migrate.

But seriously, Wikipedia? Would GCHQ be that eager for more haystacks to hide needles in?

rgaff • May 27, 2015 1:25 PM

@ Winter

“So most of “us” are currently not interesting enough to warrant some definite action.”

That’s the thing… we’re all “interesting enough” to mass surveil… then, when we utter certain key words, we’re individually “interesting enough” to become a target in the surveillance system… whether you count that as “action taken” or only actual vans parked outside or arrests as “action taken” seems to be our disconnect though…

@ Czerno, Zenzero

I didn’t mention downgrade, just the mass-shared 1024 bit moduli… There IS quite a bit of evidence of something LIKE this being used by the NSA. There are documents and paperwork leaked, and people-in-the-know alluding to a massive breakthrough, etc. And calculations of how much effort it would take to break the common 1024 bit one is within the realm of possibility for an entity with billions of dollars to blow on it (think: Utah Data Center). This evidence is a little vague, admittedly, but it fits. And it makes sense of the comments and documents to connect it this way.

So what does this mean for this site? I doubt US Government is impersonating Bruce to us using his login credentials, that would be too obvious to Bruce. It’s more likely they are associating each of our posts with our real life identification, producing kind of virtual dossiers on what each of us say here. I’m talking de-anonymization. Proper unbroken HTTPS would make this much more difficult (they’d have to resort to timing: watching who’s posting based on our IP, notice when each of us post, and watch when things appear on the public comments areas, and try to associate that way… or breaking into Bruce’s servers and stealing his web server logs), but broken HTTPS makes this much easier to do (simply decrypt our browser submissions themselves, associate with our IP, done).

Czerno • May 27, 2015 2:35 PM

@rgaff :

“It’s more likely they are associating each of our posts with our real life identification… I’m talking de-anonymization. Proper unbroken HTTPS would make this much more difficult,… but broken HTTPS makes this much easier to do (simply decrypt our browser submissions themselves, associate with our IP, done).”

Aha ! Thanks for pointing this to us. I had not
been realizing the posibility of what you have made so clear now.

rgaff • May 27, 2015 3:58 PM

@ Czerno

I’d like to additionally mention, that this kind of broken HTTPS means that it happens at the mass surveillance scale, when everything is ingested initially. They don’t even have to target any of us individually or Bruce’s site in particular, to decrypt and associate everything we say with our real life identification. It’s as if we sent our comments out on the internet in clear text.

This is why it’s so important for Bruce to fix his site, and get off that “Common 1024-bit Prime” onto a unique 2048 bit one.

Clive Robinson • May 27, 2015 4:55 PM

@ Winter,

Sorry missed your reply due to probs on another thread making taking a break for “tea” more desirable than normal…

I personally don’t think the security services care that much about who is looking at “radical” pages on Wikipedia it’s self though it’s a racing certainty they are for more radical wikis, blogs, websites and mail lists etc.

I personally consider it’s a CYA tactic by the services etc to avoid it comming back onto them when the press are saying the politicos are not doing anything to stop jbrides going off (and getting a rude awakening).

But if you are going to find teenagers or younger who might get radicalised –as the press/politicos love to call it– you need to a certain extent think like them and know how they get to the point of “going dark” via secure comms. That is find a way to tag everybody who starts looking for “further information” and what they then do a few weeks or months down the line [1].

It’s not something that needs much in the way of human resources and can almost run as an automated background task. The more senior security services then “pass the buck” on to other more junior services, who due to current austerity measures don’t have the resources to do anything about it.

So potentialy it has a high rate of return on “political capital” for the more senior security services, and also the advantage of passing the “hot potato” off into other potential rivals hands, like a poisoned challice. Which often is the only justification needed for such actions in the games of power politics and their associated turf wars the UK security services have been known to indulge in.

[1] This can also help the services identify which semi secure comms they need to be watching out for to identify recruiters and help piece together organisational structure maps of the radicalising organisations. So it’s not an entirely pointless excercise.

Thoth • May 27, 2015 7:42 PM

@Richard H
That was a quick draft on the fly. Not sure if anyone would be interested to use it but yes the use of ISO standards would be much better.

Gweihir • May 27, 2015 8:35 PM

Got to love the classics. Apparently people are still to stupid to put interlocks in or have generously parametrized timing-based preventative measures. Typically, the coders that mess things like these up do not even know what a race condition is.

Also got to love that Starbucks is apparently completely unprepared for something like this, in particular mentally. I predict that their heavy-handed response will cause real problems for them next time.

Sam • May 27, 2015 11:57 PM

@ Winter
“But seriously, Wikipedia?”

Some may look at the internet as some sort of graph. Each node or hyperlink represent a piece of knowledge. Of course, all this knowledge must be tagged in peculiar ways to give it robotic meanings before they can be farmed for impressions.

These type of activities seem to be most efficient to preempt lonewulf criminals. What do you think?

JonKnowsNothing • May 28, 2015 12:05 AM

@Winter

Somehow, I cannot see how a person that needs Wikipedia to get information about these people could be in any way suspicious.
That is like expecting neo-nazis to flock around the Wikipedia entry about Adolf.
Also, I do not see the world’s TLA’s spending all their time on highschool kids “researching” their school papers.

Clearly you do not quite get the point… yet.

The URLs are only for those who don’t know who Anwar al-Awlaki was or why he died in a US drone attack or why his 16 year old son was also killed or that he was a US Citizen. They are only for those who don’t know what Inspire means or what’s printed inside.

All you need is a “hook” to become a target. Some of these hooks are known but not all of them. These are part of the “Selector” list.

As General M. Hayden constantly refrains “no one looks at your data” and “we have to throw it over the transom to find out”, it’s the computers and their algorithms that pick it up and store it for more than 30 years (you have to dig a bit deeper to find out that the 2yr, 5yr data retention time frames are superseded by other timeframes).

Anyone even typing a high profile trigger name or reading a blog/magazine article written and published by a group that is “suspect” becomes targeted. It’s the same technique used by Corporations and Amazon to find out how much of the book you read: a web beacon will track your metadata and Bob’s Your Uncle.

By definition: Everyone is an Adversary. That means EVERYONE. You might not think someone reading a wiki article is “of interest” but there are agencies that do. If you go to a source document or participate in discussions “of interest” you are a defined target.

You are quite correct, articles on Adolf are also monitored and some other countries have strict laws regarding information from that period.

As for those High School kids.. that’s primarily who they target on the Inspire site. If you go to read what’s there based under US First Amendment Rights, you will forever be on the Target List. Remember 4 of the 5 Eyes do not have a First Amendment nor do they have a Bill of Rights.

You have No Rights At All. You only have Privileges which can be taken away at any time. They are working on it quite effectively: Snoops Charter Revamped and it’s fellows are here now and enacted.

Feel warm and fuzzy? Nice and Secure? Happy and Content? Just don’t raise a fuss and everything will be fine and you can live happily ever after.

thevoid • May 28, 2015 1:43 AM

@Winter, JonKnowsNothing

the problem is the people who do this ‘interpreting’. i have heard LEO types make statements about possible criminality based on the idea that “i don’t see why a law abiding citizen would be interested in X.” it’s enough to make someone a suspect, and reports on that type of thinking are legion these days…

rgaff • May 28, 2015 1:56 AM

@thevoid

You make a good point. I’m unsure why so many seem to have forgotten that it’s not criminal to be curious about the world around you, in fact it’s natural. What’s unnatural is censoring your own learning out of fear of retribution from your government! This is literally “dark ages” formation material!

Eldoran • May 28, 2015 6:32 AM

I’m curious, how could you check if there is a bug in the application which allows a race condition WITHOUT actually having the (source) code or trying to trigger said race condition?
Unless starbucks is making the application available to willing bughunters?

I mean in the race condition should be in something that is not under the control of the potential attacker – if that were the case, that would be an even more dangerous bug.

Winter • May 28, 2015 7:03 AM

@JonKnowsNothing
“Anyone even typing a high profile trigger name or reading a blog/magazine article written and published by a group that is “suspect” becomes targeted.”

Pure FUD.

If you are after sharks, you should fish at sea, not in a freshwater pond. This is fishing for sharks in a high school fish pond.

If all you are after is an excuse to jail people, why go to the length of hooking some Wikipedia pages?

If you wan to have at least a chance to sift through the hay to find a needle, do not buy extra hay stacks. Putting hooks on innocuous Wikipedia pages will deliver you hay stack by the ship load.

My point is that the discriminative power of such Wikipedia pages is so low, it is useless. And they are also irrelevant to trying to make someone look suspicious.

Zenzero • May 28, 2015 7:25 AM

@ Winter, @ JonKnowsNothing

Just to add to what @ Winter mentioned, section 215 gave the FBI the authority to check library and bookstore records for people of interest. They have a vast number of data nodes to trawl through (many of them from bots/scrappers etc) so I don’t think they would have it as an initial alert trigger, as @Winter so succinctly put it “If you wan to have at least a chance to sift through the hay to find a needle, do not buy extra hay stacks”

However I do imagine that if you got onto a list of some sort, the wiki readings would definitly count towards their “verification of presumed guilt” and would be automatically searched through, along with amazon, gun, chemical purchases, travel etc etc

JonKnowsNothing • May 28, 2015 9:06 AM

@Winter and others

If you are after sharks, you should fish at sea, not in a freshwater pond. This is fishing for sharks in a high school fish pond.
If all you are after is an excuse to jail people, why go to the length of hooking some Wikipedia pages?

I think you have finally hit the nail on the head. It’s NOT efficient. It doesn’t work. There’s too much noise in the system to find the needle.

As to why they bother at all, it’s about your life pattern and future policing/predictive behavior algorithms. These are the same predictive algorithms used by Facebook and Social Media to censor your data feeds to only show you “what you like” and what “they” think you will like. And that’s just another aspect of the problem.

Maybe you could apply to be head of the NSA? Do you have a Military Commission of General or Admiral? Maybe you could get one from a pay-to-win Military System in another country? Maybe even an honorary one?

And remember, it’s not about Wikipedia, it’s about the WORDS you type. It’s all in the METADATA. That’s what’s collected.

Section 215 is only one authority. There are others and more authorities that are “suspected to exist” but remain hidden behind the National Security locked door.

It’s all in the METADATA, just type it in Google. You don’t even need to press submit, just typing it in the search bar is enough.

And it’s not about the NSA or the 5EYES or the 14EYES. Every security service that has access to even reasonable computing power can now buy an off-the-shelf NSA-style data collection system. In the USA we maybe focusing on the 5EYES but these sorts of Haystack Collectors are deployed in nearly every country.

It’s Global.

JonKnowsNothing • May 28, 2015 9:19 AM

@Eldoran

I’m curious, how could you check if there is a bug in the application which allows a race condition WITHOUT actually having the (source) code or trying to trigger said race condition?
Unless starbucks is making the application available to willing bughunters?
I mean in the race condition should be in something that is not under the control of the potential attacker – if that were the case, that would be an even more dangerous bug.

I might guess that the researcher is familiar with the POS system used at Starbucks or is knowledgeable about them in general.

You used to be able to buy a POS one for development purposes and sometimes companies gave them away free. Now you can probably buy a used one from a hi tech junk dealer.

If you have the specific documentation and/or official standards you can probably reverse engineer what they did and how they did it.

If you have experience in that field you might already know that this is a common problem for that application type. Maybe he was writing his own program and ran into the issue during his own testing.

I doubt that he was actually interested in creating a $5 fraudulent transaction. Starbucks coffees cost way more than $5.

Jane • May 28, 2015 11:24 AM

@Eldoran

Race conditions are a common code weakness (think ‘buffer overflow’). As commenters early in the thread mentioned, database programmers often don’t have the time or the expertise to implement financial database transactions correctly. If you’ve ever seen “please do not click the submit button more than once” on a web page, then you’ve seen what’s probably the most common “fix” used to pretend the problem’s been addressed.

If you’re particularly curious, you might check out the CWE (Common Weakness Enumeration), cwe.mitre.org

I doubt a programmer or security researcher would need to know anything about point of sale systems to suspect such a vulnerability.

rgaff • May 28, 2015 2:35 PM

@ Winter

“If you wan to have at least a chance to sift through the hay to find a needle, do not buy extra hay stacks.”

The problem is, from their perspective, it’s not just finding a needle. It’s finding ALL needles. Every single one of them. Everywhere. No exceptions. Now and forever into the future. This is why they’re going after ALL hay stacks, not just the ones where there are obviously the most needles.

This is the basis of the whole “collect it all” mentality, and spending billions upon billions on miniscule risks that are far far less likely than being killed by slipping in the bathtub or getting struck by lightning. Where are the anti-bathtub police or anti-lightning police? Why aren’t they bursting into people’s homes and forcing them at gunpoint to put non slip stickers in their bathtubs? Or why aren’t they kidnapping young children standing in open fields in the middle of thunderstorms? For their own good, of course. lol. Am I making myself clear that what they’re doing is even more ridiculous?

rgaff • May 28, 2015 2:44 PM

@ Jane

“If you’ve ever seen “please do not click the submit button more than once” on a web page, then you’ve seen what’s probably the most common “fix” used to pretend the problem’s been addressed.”

Yeah, I’ve seen that. And it works because I don’t want to be double-charged… but it doesn’t make me feel good about the safety of my financial information.

I’ve also seen web developers who put in some javascript that disables the button on first click, thus preventing any second click while the first one is being processed. This certainly works for innocent people who have javascript turned on, but it totally fails when javascript is turned off, or when there’s malicious intent… But most developers I’ve seen don’t care about that, they just care about showing it to some manager as “fixed”… and the manager wants it that way too, because they only care about showing it to the customer as “fixed”… etc. They actually wouldn’t care at all except that double-clicking when you only need a single click is fairly common…

thevoid • May 28, 2015 3:20 PM

@rgaff

You make a good point. I’m unsure why so many seem to have forgotten that it’s not criminal to be curious about the world around you, in fact it’s natural. What’s unnatural is censoring your own learning out of fear of retribution from your government! This is literally “dark ages” formation material!

true. but this dark age already started a while back. it’s only now that people start to notice it, but the roots are already firmly in place. for those of you who are not historically inclined, this is what the end of a civilization looks like. it’s mind blowing for me to see all the signs.

the type of people who become ‘authorities’ are not the most imaginative people, and if they can’t imagine it, it’s not true… they also tend to be the most monkey-like, thus are only concerned with power (sorry, i mean ‘order’). so this is what the authorities push, and the herd just goes along with it. which is particularly sickening in america, how everyone just folded… (i’ve said it before: may their chains rest (not so) lightly upon them).

you know, after 9/11, based more on what was being SAID than anything else, i started to feel like i was in the twilight zone. things politicians and others were saying were SO reminiscent of nazi germany. i was not alone in this feeling, others had it too, but it went away, it became the new normal. unlike others i never accepted it, but cognitive dissonance got most of the rest (amazing really how many people who saw the rising fascism, then seemed to forget it. the startled herd lowered its heads and kept grazing.)

i’ve been getting that feeling again in the last year or so, except now it feels like the soviet union. now we have thought-crime. i am reminded of what Cameron just said: “For too long, we have been a passively tolerant society, saying to our citizens ‘as long as you obey the law, we will leave you alone’.”

Bystander • May 28, 2015 4:09 PM

Starbucks missed an opportunity for a good PR move.

Race conditions are something to deal with on a regular base when you develop circuits for programmable logic. You learn to spot it and avoid it.
Going through this could be an interesting step for future software developers…

rgaff • May 28, 2015 4:12 PM

@ thevoid

Yes. Agreed completely.

But there is hope. It’s not hope in our governments or even our societies. It’s hope in you, and me, and a few others, that we’ll keep looking for ways to be different than the herd. There is hope in us as individuals, if we look to be better somehow. Don’t give up.

thevoid • May 28, 2015 10:49 PM

Yes. Agreed completely.

But there is hope. It’s not hope in our governments or even our societies. It’s hope in you, and me, and a few others, that we’ll keep looking for ways to be different than the herd. There is hope in us as individuals, if we look to be better somehow. Don’t give up.

couldn’t have put it better myself. yep, it’s not hopeless. if i believed it was, i wouldn’t bother reading or posting here. this is a place for the more intelligent individuals.

history also shows new civilizations rise out of the wreckage of old ones, and for the people nothing really changes too fast. civilizations tend to die slow deaths. Rome took 400 years. Mayan civilization fell long before the Spaniards arrived, but the people to this day still live much as they did then. their dress, their food, their crops. in India archaeologists digging up ruins thousands of years old found a continuity of offering for well over 4000 years. people had been making the offerings long after these temples had gone to ruin. you can see the progression from stone beads to glass to plastic. some things change, many things do not.

the husks of corn have to be manually opened, so corn cannot reproduce in the wild. yet it has at least 8000 years of history, during which numerous civilizations rose and fell. life goes on.

and the forest is always rejuvenated after a fire.

rgaff • May 29, 2015 12:03 AM

There’s a “better country”… 🙂

Rob • May 29, 2015 12:36 AM

Re: needles in hay

Right tools for the right job. Bringing a magnifying glass won’t help much but say a metal detector or a really big piece of magnet may… anyways they got plenty of smart folks to figure it all out it’s nonsensical for us to speculate.

rgaff • May 29, 2015 12:06 PM

“they got plenty of smart folks to figure it all out it’s nonsensical for us to speculate.”

I disagree with this kind of attitude. This is essentially like saying “Our almighty leaders are like Gods, us lowly peon subjects should never question them!” This is how it works under totalitarian dictatorships, but that doesn’t make it right.

In free society, our leaders are subject to us, not the other way around. They are “civil servants” and WE are THEIR bosses, they are not kings or emperors to rule over us. This means we have every right to question what they are doing until we understand it.

bigmacbear • May 29, 2015 4:51 PM

@JonKnowsNothing:

I might guess that the researcher is familiar with the POS system used at Starbucks or is knowledgeable about them in general.

You used to be able to buy a POS one for development purposes and sometimes companies gave them away free. Now you can probably buy a used one from a hi tech junk dealer.

I see what you did there… 😉

Guest • May 29, 2015 8:19 PM

Bruce or others, how do you make it in an organization’s interest to provide an easy channel for the public to submit “this doesn’t seem right” reports? (Or would the crooks just flood such a channel with low quality data?)
I have plenty that I would like to submit, for one service that the government provides.

Guest • May 29, 2015 8:43 PM

One possible solution: add a reqt to getting a business permit, that the application name a staff position+contact channel for reporting security lapses to. (Preferably one that isn’t being monitored by crooks)

Guest • May 29, 2015 8:47 PM

There isn’t a bricks-and mortar government office with staff that’s professional & Banana-Republican-free, for reporting this stuff in major cities, is there?

Guest • May 29, 2015 8:52 PM

Or maybe we just need one of our billionaires to create a contest, with prize, for reporting structural security flaws in citizen-support infrastructure.

Figureitout • May 30, 2015 9:40 AM

Guest
Or would the crooks just flood such a channel with low quality data?
–Good point, not really brought up much w/ security researchers trying to get their bugs taken care of. In addition to straight spam, worse deliberate trolling, or even worse false “security patches” that open up new vulnerabilities; these concerns need to be considered opening up a “free-for-all” channel…

Q • June 4, 2015 6:32 PM

Double spends! Adorable!

Schneier on Security

Race Condition Exploit in Starbucks Gift Cards

Comments

Standardization of Public Bug Hunt Request

Leave a comment Cancel reply