Starbucks "Tweet a Coffee" potential security vulnerability
Starbucks has recently implemented a program allowing you to tweet @tweetacoffee to @... (https://www.starbucks.com/tweet-a-coffee).
This in itself seems innocent enough, but given the frequency with which Twitter accounts are hacked, this seems a potential security issue.
As a hacker, if I scrape Twitter for anyone who has ever used this functionality (basically anyone who has tweeted @tweetacoffee), I can see which account are tied to Starbucks, and subsequently target those accounts.
If I gain access to even a single one of those accounts, I can then send myself, or anyone really, money. Up to this point, when your account got hacked on Twitter, you basically just had to deal with embarrassing tweets or phishing attempts. Now hackers have direct access to your credit card.
Does anyone else agree with this, or am I totally out there on this?
2 comments
[ 3.0 ms ] story [ 11.1 ms ] threadI think it comes down to convenience outweighing the downsides. Since for most people it won't be an issue and for anyone it does happen to, they would simply notify their Bank immediately who would simply void the charges while they look into the fraud. I assume Twitter or Starbucks sends a receipt email after a Tweetacoffee occurs.
It would make sense to require users to enable double authentication in Twitter to be able to use the send money feature or in gmail to use Square Cash but doubt that would ever happen since people can already enable double authentication and the people who don't, don't know how to or don't want to and forcing them to would defeat the whole purpose which is convenience.
Good point though and will be interesting to see what happens with all of these services.