Starbucks’ API key found in public GitHub repository – reports

Starbucks’ API key found in public GitHub repository – reports Developer is a hub for the latest news, blogs, comment, strategy and advice from leading brands and experts across the apps industry. It provides a free, practical resource that aims to help developers negotiate the industry, access top level advice and ensure they are able to negotiate the industry as effectively and profitably as possible.


Developers at Starbucks left an API key in the public GitHub repository that could have given any attacker the access to the coffeehouse chain’s internal systems who would have easily manipulated the list of authorised users.

As first reported by Bleeping Computer, the API key’s vulnerability level was set to critical because it enabled access to a Starbucks JumpCloud API, but it was spotted by vulnerability hunter Vinoth Kumar, who found the key and disclosed it responsibly through the HackerOne vulnerability coordination and bug bounty platform.

JumpCloud is an active directory management platform billed as an Azure AD alternative, which provides user management, web app single sign-on (SSO) access control, and Lightweight Directory Access Protocol (LDAP) service.

Starbucks was eventually satisfied with Kumar’s remediation and rewarded him with a $4,000 (£3,047) bounty for the disclosure.

Last month, StrongSalt released its Open Privacy API to improve the security of developers’ applications. StrongSalt offers APIs and SDKs for most of the leading cloud providers, including Box, AWS S3, Google Cloud, and Azure. StrongSalt can also supply cloud storage for those without a current provider. The Open Privacy API provides encryption features so developers can focus more on building great apps without having to learn the cybersecurity expertise needed to make them secure.

During the same time, API development firm Postman released some of its interesting findings about the various types of people who are engaging with APIs. More than half (53%) of the 10,000 respondents who said they used APIs did not have the title of "developer". This represented a significant increase over 2018 when 59% said they were either front-end or back-end developers. Some of the non-developer roles where people are engaging with APIs include technical writers and executives. Postman found 74% API development teams are small with below 10 members.

Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located 5G ExpoIoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *