Starbucks’ API key found in public GitHub repository – reports
Developers at Starbucks left an API key in the public GitHub repository that could have given any attacker the access to the coffeehouse chain’s internal systems who would have easily manipulated the list of authorised users.
As first reported by Bleeping Computer, the API key’s vulnerability level was set to critical because it enabled access to a Starbucks JumpCloud API, but it was spotted by vulnerability hunter Vinoth Kumar, who found the key and disclosed it responsibly through the HackerOne vulnerability coordination and bug bounty platform.
JumpCloud is an active directory management platform billed as an Azure AD alternative, which provides user management, web app single sign-on (SSO) access control, and Lightweight Directory Access Protocol (LDAP) service.
Starbucks was eventually satisfied with Kumar’s remediation and rewarded him with a $4,000 (£3,047) bounty for the disclosure.
Last month, StrongSalt released its Open Privacy API to improve the security of developers’ applications. StrongSalt offers APIs and SDKs for most of the leading cloud providers, including Box, AWS S3, Google Cloud, and Azure. StrongSalt can also supply cloud storage for those without a current provider. The Open Privacy API provides encryption features so developers can focus more on building great apps without having to learn the cybersecurity expertise needed to make them secure.
During the same time, API development firm Postman released some of its interesting findings about the various types of people who are engaging with APIs. More than half (53%) of the 10,000 respondents who said they used APIs did not have the title of "developer". This represented a significant increase over 2018 when 59% said they were either front-end or back-end developers. Some of the non-developer roles where people are engaging with APIs include technical writers and executives. Postman found 74% API development teams are small with below 10 members.
Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located 5G Expo, IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.
- » Linux Foundation and LISH publish latest open-source census with suggestions to boost security
- » Developers can now access Twitter’s useful ‘Hide Replies’ feature
- » SoundCloud repairs API-related security snafus after Checkmarx research
- » Raspberry Pi 4 is now OpenGL ES 3.1 conformant, Vulkan incoming
- » Safari soon won’t accept HTTPS certificates longer than 13 months