Singapore - Account Takeover via IDOR

ko2sec discovered that an alternate site shared database and cookie credentials with card.starbucks.com.sg. By exploiting an endpoint on the alternate site, ko2sec was able to copy a PHPSESSID cookie value from that site over to card.starbucks.com.sg and then see user information, update the password and perform an account takeover. ko2sec was awarded a bounty multiplier for this report as they had also submitted a 2nd report for another site that mimicked this behavior. @ko2sec — thank you for reporting this vulnerability and for confirming the resolution.