Thailand - Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card

nnez discovered that a hacker could transfer funds from one Starbucks card to another by inspecting the form with Google Chrome DevTools and then change the forms "CardNumber" value to a victim's valid Starbucks card number. If the value entered for the "FullAmount" form field did not exceed the actual victim's Starbucks card balance, the transfer would generate an error message but successfully transfer the "FullAmount" value which could be validated by navigating back to the Card Information page. @nnez — thank you for reporting the original vulnerability and for confirming the resolution.