Japan - CSRF in webapp.starbucks.co.jp with user interaction could leak an access token if the user was not using Chrome

elber discovered a CSRF in webapp.starbucks.co.jp leaked an access token if an authenticated user opened a crafted HTML file in a browser other than Chrome which has Same Site Attribute for the cookie set by default. elber also demonstrated the ability to add a Starbucks card to the account with the potential for a single account takeover at login.starbucks.co.jp, if the attacker could trick the user into executing another crafted HTML file. elber — thank you for reporting this vulnerability and for confirming the resolution.