He found bugs on the Starbucks website, got thousands of dollars for it

Websites are vulnerable, but large companies cannot afford the vulnerability. Therefore, some are issuing special calls for IT professionals to help them find systems security vulnerabilities. Patrik Hudák, a student at the MU Faculty of Informatics, also joined one of these.

He helped the Starbucks coffee chain uncover a problem that the company eventually valued at $2,000. And then another, rewarded with the same amount. Website security is Hudák's big topic. He has already written a bachelor's degree about him and now in the spring also a master's thesis, which he successfully defended to an excellent degree.

In addition, he already worked for a security startup at school, which contributes to improving the security of companies' websites. People like him can very well detect new types of vulnerabilities, and this is exactly the category that Hudák was the first to find on the coffee chain's website.

So far, few experts, let alone companies, are aware of it, so it is only possible to solve it slowly and gradually. In particular, only a few scholarly texts describe this vulnerability, even though such cases happened already four years old. This can be summarized under the notion of taking over a subdomain, and it is very much related to the use of cloud services, ie virtual storage.

"For example, if you want to create an e-shop, you can do it on your server or use a cloud service, which has its advantages under certain conditions. The end user does not know it, because the e-shop has an address that looks like yours, but the real one is different, because it also refers to the service provider", suggests Hudák.

In order to connect the cloud provider and the customer's website, an electronic connection must be established between the two parties. And this can be problematic later. When the customer stops needing the service and ceases to pay for it, their web address will no longer work, but the connection to his website will remain alive. When someone else orders a service and deliberately asks for the same address, they can then virtually look like the original owner and use it to act unfairly.

This basic description can take on various specifics in real use. Hudák described it in his master's thesis and, in addition, created a domain verification tool to find specific examples and confirm his theory in real technical life. At the same time, he focused on companies that honor or appreciate help of this type, at least in some other form, in order to make a name for himself as a student.

"In the case of Starbucks, the first vulnerability was the delivery of site content, which is located on different servers in different locations to ensure greater speed. Thanks to that, I was able to control the content of the domain", describes Hudák, who found something like a forgotten side entrance. Using it, he could place any of his own content on the web.

Finding such a side entrance is not easy, and if you succeed, there are not many such possibilities. Therefore, when Hudák reported the mistake he found to the company, he described it as not very dangerous. "That's why I was quite surprised when the company itself changed the classification to high in two days. I also offered to help them, but no one answered. Nothing happened for four months, and then in July I received an e-mail saying that they thanked me, closed the case and sent me two thousand dollars", says Hudák.

The amount surprised him. Rewards in the hundreds of dollars are common. Another surprise came when a recent graduate found a similar mistake at the same company and the company paid him another two thousand dollars. Hudák has a sense of smell mainly for honored programs. He also has his own page on the Internet, where everyone can see to whom and what problems he reported.

He is also currently considering setting up his own security startup. According to him, similar revelations will increase. So far, cloud service providers are closing their eyes to the problem. Those interested usually rent a cloud space under the name they want, without the cloud provider verifying that it does not infringe on someone else's property rights.