The Starbucks Coffee Shops is a popular place of recreation and meetings of high-quality coffee lovers and a relaxed atmosphere. Once, the company began with the sale of branded roasting grains, and now opens the establishments where every visitor can not only taste a delicious coffee drink, but also have breakfast or snack, as well as purchase professional cooking equipment for coffee and brand accessories for serving. Representatives of the company in Russia take care of their customers and offer participation in the Starbax "program" My Awards ".

How to get a map

Any customer network of coffee shops over 14 years old has the right to get a bonus card. It must be replenished cash And pay all goods on the territory of the Starbax Cafe. For each purchase, the client receives 1 star. 12 collected stars give the right to get a "award" in the form of free coffee, tea or dishes, except for entire pies and cakes.

So the map of the awards looks.

Plastic media can be issued on any Starbucks trading point at the checkout or create a virtual equivalent online in the Starbucks RUSSIA mobile application. The card is activated after registering on the site www.starbuckscar.ru. And the first replenishment.

Features of use

Starbax map allows the owner to receive pleasant bonuses, but you need to know how to apply it correctly:

1. After registering in the Starbucks program, you must activate the map on the site. www.starbuckscar.ru. And make a minimum amount of 500 rubles. Activation occurs within 24 hours.
2. To enroll bonuses you need to pay for goods only Starbax map.
3. The award is valid for 30 days from the date of appointment, to avoid this period, the bonus is reset.
4. View the balance, the history of write-off and accrualing bonuses, and can also be replenished personal Area On the site www.starbuckscar.ru or through a mobile application. The use of the latter also makes it possible to pay for the order directly from the phone screen (when registering a virtual card).
5. The company's website has the ability to configure automatic and one-time replenishment of a plastic or virtual media account. To do this, you need to connect payment bank card In a personal profile and make a one-time payment or set up a constant replenishment. Available scenarios: Money accrual will occur when achieving minimum balance, On a certain day of each week or the number of month.

Program levels

When registering in the bonus savings system, the buyer receives a map Green Level. So that the collected stars have not reset, you need to make at least 1 purchase for 12 months in a row. Otherwise, you can lose all accumulated stars. Green Level makes it possible to exchange 12 stars on a coffee drink or dish.

Golden level Assigns under the condition of accumulation of 30 and more stars throughout the year. Privilege:

• Bonus free order of any product from the range of drinks or food in exchange for 12 accumulated stars;
• Congratulatory campaign - opportunity to get free coffee or dish in honor of the holiday;
• Golden card design;
• Exclusive shares that can be drawn up taking into account personal preferences when choosing goods or payment method. You can also get a discount on dishes or drinks.

Creating a personal account allows you to carry out useful manipulations with a card. Among them: activation, balance checking and awards, one-time or periodical auto operating, viewing the history of transactions.

To register an account, go to the site www.starbuckscar.ru. And select the Registration tab.

Then enter your phone number and click on the "Code" button.

In the window that opens, enter the received code.

Next, the fields will be available to indicate the number and PIN code (it is located on the back of the plastic media under the scratch panel next to the 12-digit number) obtained in the cafe card and personal data. You can also confirm receipt of sending news and shares to the mail.

Mobile application "Starbucks Russia"

For the convenience of customers, Starbax has developed and introduced a program for Android and IOS.. The functionality of the application allows you to activate already existing map and scan the barcode or create completely electronic versionTo learn about new promotions, and offers, find the nearest coffee shops. In "Starbucks Russia" you can view the details of the personal account.

Available card replenishment and order payment online.

Also, the application will notify you about the availability of the awards available.

This is a story about how I found a way to heat an unlimited number of money on gift cards Starbaks, thereby secure free coffee, well, or steal a couple of millions in other ways.

So, not so long ago, I came to know the idea of \u200b\u200bbuying 3 Starbax cards for $ 5 each.

The site Starbucks.com has a personal account where you can add these cards, watch the balance and even translate money between the cards.

There is such a little-known class of vulnerabilities "Race Condition". I can confidently declare that most applications that may be vulnerable to this attack are most likely vulnerable, because not every programmer in the design of programs takes into account such factors as parallel to the execution of the code and its consequences.

In web applications, it is also found, usually in the functions of money-related / glasses / candy / vouchers. I will tell about all the intricacies of operation another time, but still be back to the translation between the maps in Starbakse.

The translation was built from several stateful queries. Schematically - the first request post / step1? Amount \u003d 1 & from \u003d Wallet1 & to \u003d Wallet2 laid all these values \u200b\u200bin the session on the server, and only the second post / step2? Confirm translated the data already laid in the session and cleared it.

This significantly complicates the operation relative to the classic race, where you only need to repeat the same query several times at the same time. After all, as soon as the first request clears the session, the second is already bumping into an empty session! And in order to somehow force it to work, I would have to make a complex queries composition that records in the session immediately after it cleans the first request and before performing the second query. This could work once out of a million attempts, or do not work at all.

But there is always a traverse for such "semi protection" - you can log in to the same account with two different browsers / sessions. Then exploitation looks like this:

# Layout transfer parameters in both sessions
CURL STARBUCKS / STEP1 -H "COOKIE: Session \u003d Session1" --Data "Amount \u003d 1 & from \u003d Wallet1 & to \u003d Wallet2"
CURL STARBUCKS / STEP1 -H "Cookie: Session \u003d Session2" --Data "Amount \u003d 1 & from \u003d Wallet1 & to \u003d Wallet2"
# Simultaneous approval of a transfer $ 1 from card 1 on a map 2.
CURL STARBUCKS / STEP2? CONFIRM -H "COOKIE: Session \u003d Session1" & Curl Starbucks / Step2? Confirm -h "Cookie: Session \u003d Session2" &

After 5 attempts, nothing interesting happened and I wanted to surrender. The feature of the race status is that it can only be attempting to find a third-party attacking, because it is not known which protection costs (the number of requests for IP? Requests for an account? Requests for action?) And the only way to check whether you are vulnerable to be carefully avoiding the source code on The presence of proper pessimistic logs in the database.

A miracle occurred on the 6th request - the translation was produced twice and I had two cards from 15 and 5 dollars, 20 in the amount. To count this for Proof of Concept, it remains to make sure that the store will take these cards.

I went to the nearest workshop on Market St.

Give me something for $ 16.
- O_O.
- Well, what is your most expensive?
- Those Sandwiches.

It was $ 16.70.

So, 15 dollars were invested in our small operation, and procurement was made at 16.70. Knowing the attitude of the Humane Court of the United States to Hackers, I've got home, immediately credited another $ 10 from the banner on the Starbax card, so as not to be due to the Corporation as much as $ 1.70, you never know.

The most difficult thing is the report process. The support honestly replied that he could not connect me with the technical team, well, in general, and they are very sorry that I Feel This Way. Posted by [Email Protected] March 23, silence (answered, by the way, already on April 29). I had to find people who were not all the same and only after 10 days the vulnerability was fixed.

No one thanks said, but it was not an ambiguous hint that I made Fraud and Malicious Actions and that they would still think about what to do with me.

And what could I do? I could run a farm from fake gift cards purchased in different stores in the world, hen a lot of money on them and sell on special promotional sites with 50 percent discount (so as not to cause suspicions) for bitcoins. So, after working on the year or another, it would be possible to suck a couple of million dollars from this friendly firm with sweet coffee.

The presence of the Starbax map is a real order of a connoisseur of coffee. A distinctive sign, which, besides, makes life better. Starbax has created its internal currency Stars (stars), receiving and accumulating which the participants of the program can exchange them on Bonuses in Starbax Coffee Houses.

In order to become part Bonus program, Enough to go to the official site Starbuckscard.ru and register a map. There you will find a list of institutions that participate in the action.

Get the map B. physical form You can in any café network, by selecting the design you like and immediately replenishing the balance in the amount of from 500 to 10,000 rubles to make further purchases. You can also buy online map Starbaxgifts on the site http://starbuckscoffee.ru/ru/.

How to register Starbax map?

Registration of the Starbax map turns it out of just a convenient payment product in a gifting generator and bonuses.

To access them, you can use one way:

Step 1. Go to the site http://starbuckscaffee.ru/ru/

Step 2. Create a personal account, following detailed instructions.

Step 3. Register Starbax or Starbaxgifts map on the site.

1. Download Mobile Starbax app.
2. Create an account.
3. Register Starbax or Starbaxgifts card in the application.

Starbax map levels

The number of gifts and bonuses from Starbucks completely depends on the activity of the participant of the program and his love for coffee drinks. After each perfect purchase, one star is assigned (Stars).

The more stars, the higher the status of the map.

Green Level

The green level of the card is assigned to the participant immediately after the acquisition of the card and to maintain it it is necessary to make at least one purchase throughout the year after registration of the card on Starbuckscoffeeeru. If during this time the balance of the card was not replenished with stars, the privileges of the green level are frozen.

Golden level

You can go to the gold level from the green level after receiving 30 stars per year.

Features Starbax map

The balance of the card is reliably protected from theft and is subject to recovery in case of loss. Such a card can be an excellent gift with recognizable design "Paper Hearts" or "Summer".

Also register the Starbucks card means access to all transactions, checking the balance directly from the mobile device, tracking bonus activity and privileges.

Green Level Privileges

Golden-level privileges

1. The ability to receive every new 12 stars any drink or one dish, with the exception of entire cakes.
2. Any drink or dish, with the exception of entire cakes as a gift for your birthday.
3. Updated design in gold color.
4. Participation in special offersthat distribute via SMS or E-mail newsletter.

How to use Starbucks Mobile Application?

The Starbucks Mobile application is suitable for all devices. Thanks to it, you can view the nearest coffee shops, carry out operations with balance and auto perpetration, perform operations between maps and be aware of special shares and suggestions.

The Starbucks bonus program makes its customers even closer to coffee, it allows you to profitably travel on the range of coffee beans not only with the benefit of the body and soul, but also with reasonable replenishment and budget savings.

How I hacked Starbucks for unlimited coffee

• Information Security ,
• Website development

This is a story about how I found a way to heat the unlimited number of money on the banner of Starbax, thereby secure a lifelong free coffee, well, or steal a couple of millions in other ways.

So, not so long ago, I came to know the idea of \u200b\u200bbuying 3 Starbax cards for $ 5 each.

The site Starbucks.com has a personal account where you can add these cards, watch the balance and even translate money between the cards.

There is such a little-known class of vulnerabilities "Race Condition". I can confidently declare that most applications that may be vulnerable to this attack are most likely vulnerable, because not every programmer in the design of programs takes into account such factors as parallel to the execution of the code and its consequences.

In web applications, it is also found, usually in the functions of money-related / glasses / candy / vouchers. I will tell about all the intricacies of operation another time, but still be back to the translation between the maps in Starbakse.

The translation was built from several stateful queries. Schematically - the first request post / step1? Amount \u003d 1 & from \u003d Wallet1 & to \u003d Wallet2 laid all these values \u200b\u200bin the session on the server, and only the second post / step2? Confirm translated the data already laid in the session and cleared it.

This significantly complicates the operation relative to the classic race, where you only need to repeat the same query several times at the same time. After all, as soon as the first request clears the session, the second is already bumping into an empty session! And in order to somehow force it to work, I would have to make a complex queries composition that records in the session immediately after it cleans the first request and before performing the second query. This could work once out of a million attempts, or do not work at all.

But there is always a traverse for such "semi protection" - you can log in to the same account with two different browsers / sessions. Then exploitation looks like this:

# Layout transfer parameters in both sessions
CURL STARBUCKS / STEP1 -H "COOKIE: Session \u003d Session1" --Data "Amount \u003d 1 & from \u003d Wallet1 & to \u003d Wallet2"
CURL STARBUCKS / STEP1 -H "Cookie: Session \u003d Session2" --Data "Amount \u003d 1 & from \u003d Wallet1 & to \u003d Wallet2"
# Simultaneous approval of a transfer $ 1 from card 1 on a map 2.
CURL STARBUCKS / STEP2? CONFIRM -H "COOKIE: Session \u003d Session1" & Curl Starbucks / Step2? Confirm -h "Cookie: Session \u003d Session2" &

After 5 attempts, nothing interesting happened and I wanted to surrender. The feature of the race status is that it can only be attempting to find a third-party attacking, because it is not known which protection costs (the number of requests for IP? Requests for an account? Requests for action?) And the only way to check whether you are vulnerable to be carefully avoiding the source code on The presence of proper pessimistic logs in the database.

A miracle occurred on the 6th request - the translation was produced twice and I had two cards from 15 and 5 dollars, 20 in the amount. To count this for Proof of Concept, it remains to make sure that the store will take these cards.

I went to the nearest workshop on Market St.

Give me something for $ 16.
- O_O.
- Well, what is your most expensive?
- Those Sandwiches.

It was $ 16.70.

So, 15 dollars were invested in our small operation, and procurement was made at 16.70. Knowing the attitude of the Humane Court of the United States to Hackers, I've got home, immediately credited another $ 10 from the banner on the Starbax card, so as not to be due to the Corporation as much as $ 1.70, you never know.

The most difficult thing is the report process. The support honestly replied that he could not connect me with the technical team, well, in general, and they are very sorry that I Feel This Way. Posted by [Email Protected] March 23, silence (answered, by the way, already on April 29). I had to find people who were not all the same and only after 10 days the vulnerability was fixed.

No one thanks said, but it was not an ambiguous hint that I made Fraud and Malicious Actions and that they would still think about what to do with me.

And what could I do? I could run a farm from fake gift cards purchased in different stores in the world, hen a lot of money on them and sell on special promotional sites with 50 percent discount (so as not to cause suspicions) for bitcoins. So, after working on the year or another, it would be possible to suck a couple of million dollars from this friendly firm with sweet coffee.