Improper handling of payment callback allows topping up a Swiss Starbucks Card bypassing actual payment via a crafted success message

khovansky uncovered that an attacker could register on https://xtras.starbucks.ch and utilizing that registration, subsequently generate a reset password email via https://card.starbucks.ch After resetting the password for the account, khovansky noticed this process auto generates a virtual Swiss Starbucks card. khovansky could then top up this virtual card without completing a transaction by forging a "payment successful" callback. @khovansky — thank you for reporting this vulnerability and your assistance confirming the resolution.