When I login to Starbucks my URL populates like this
http://sbux-portal.appspot.com/splash?mac=0c:84:dc:21:96:bd&apname=18:64:72:ce:58:d8
which is a GET request with parameters like this:
mac=0c:84:dc:21:96:bd
apname=18:64:72:ce:58:d8
and then immediately redirects to
https://digital.starbucks.com/?vh=439eafa068feaf8cfe59a4eaa7a31eed&MacAddr=0c:84:dc:21:96:bd&venue=07386&ts=1434977299
which I can see is a GET request with the parameters:
vh = 439eafa068feaf8cfe59a4eaa7a31eed
MacAddr = 0c:84:dc:21:96:bd
venue = 07386
ts = 1434977299
Is there a way to figure out what these parameters are? Is there some where I can look? Using getmac I can see my mac address is being sent and that ts appears to be a time stamp, but what are the other parameters for? ( Update: venue appears to be the store number )
As a side, how are they able to obtain my MAC address? Are using JavaScript to do this ?
You seemed to have guessed many of the parameters correctly yourself. It looks like
apnameis also a mac address but likely of the local Starbucks router.Also, because you can see your MAC address in the GET request and the client does not have access to this, it is being determined on the server, and being sent back to you.
This is why you see it in the redirect.