It's somewhat incompetent to feed production data to the test environments (or did they run tests on the production?). And it's unclear if Starbucks Sg fixed this hole or not.
It is not unusual or incompetent to feed production data to test env though I would grant that usually data is obfuscated prior to storing in the test env. The biggest offence here is to have the test envs accessible publically.
> The biggest offence here is to have the test envs accessible publically.
I don't know if it's the case for Starbucks, but many large companies like that rely on a bunch of outside vendors/agencies for their development, with the relationships primarily managed by their marketing department.
The test environments tend to be synonymous with staging environments, and need accessed by a variety of partners (and the actual company employees responsible for it) for the partners to do their part of the process and for the company employees to do their version of acceptance testing. Sometimes the access gets gated for whitelisted VPN/office IPs only, but especially with so many people working from home currently, they end up having to just open things up completely.
I would not have expected that based on the majority of my career, but I shifted into an agency environment with many Starbucks-like clients a few years ago, and it was like stepping into a whole new world. Our agency doesn't actually do dev work, but tend to be part of large inter-agency teams working on those sorts of projects. And that seems to be par for the course for 70%+ of the clients I've been involved in.
8 comments
[ 2.8 ms ] story [ 27.3 ms ] threadI don't know if it's the case for Starbucks, but many large companies like that rely on a bunch of outside vendors/agencies for their development, with the relationships primarily managed by their marketing department.
The test environments tend to be synonymous with staging environments, and need accessed by a variety of partners (and the actual company employees responsible for it) for the partners to do their part of the process and for the company employees to do their version of acceptance testing. Sometimes the access gets gated for whitelisted VPN/office IPs only, but especially with so many people working from home currently, they end up having to just open things up completely.
I would not have expected that based on the majority of my career, but I shifted into an agency environment with many Starbucks-like clients a few years ago, and it was like stepping into a whole new world. Our agency doesn't actually do dev work, but tend to be part of large inter-agency teams working on those sorts of projects. And that seems to be par for the course for 70%+ of the clients I've been involved in.
It is a big change from when I reported issues back in 2012[1] with them on the starbucks.com domains.
They were very nice though, and did let me keep a $200 credit which was quite rare at that time.
Also after they fixed it the SAME bug got reintroduced for some reason in 2015[2], and @homakov had the pleasure of reporting it again.
At the time I do NOT think they had any actual bounty programs like they do now.
I can only hope they now do proper regression testing for these types of issues.
[1] https://chadscira.com/post/556999d91cb00914380006ee/Re-Starb...
[2] http://sakurity.com/blog/2015/05/21/starbucks.html