Egor Homakov made it actually happen. In his blogpost he describes how he managed to find a way to generate an unlimited amount of money on Starbucks gift cards.
If you are like me the only thing you want to know now is “HOW?!” (and your second thought will probably be: I want this so bad!). So let me curve your enthusiasm right now: Homakov of course did the right thing and reported the exploit to Starbucks.
Now back to topic! What the security expert did was to use a vulnerability called “race condition”. He bought three Starbucks card for $5 each and tried to use the vulnerability to transfer money between the cards without it being deduced.
“So the transfer of money from card1 to card2 is stateful: first request POST /step1?amount=1&from=wallet1&to=wallet2 saves these values in the session and the second POST/step2?confirm actually transfers the money and clears the session”, Homakov writes and continues: “After 5 failed attempts I was about to give up. Race condition is a kind of a vulnerability when you never know if the app is vulnerable, you just need to try some more. […]But yeah, the 6th request created two $5 transfers from wallet1 with 5 dollars balance. Now we have 2 cards with 15 and 5 (20 in total).”
The only thing left to do was to buy something with this money in order to deliver the proof of concept. One chicken sandwich, a few bottles of water, and some gum later the new balance on his cards was $5.70.
Starbucks was pretty unhappy with the stunt despite Homakov adding the $10 to his account from his credit card and disclosing the bug immediately. They might have been even unhappier though, if a lot of hungry and coffee addicted customers would have abused the system …