[BreachExchange] Brewer's Token Gaffe Causes Massive PII Breach

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Mon Oct 11 10:53:48 EDT 2021 

https://www.infosecurity-magazine.com/news/brewers-token-gaffe-massive-pii/

An authentication error left the personal data of hundreds of thousands of
BrewDog customers and Equity for Punks shareholders exposed for a year and
a half.

The gaffe involving an API bearer token was discovered by researchers at
security consulting and testing company Pen Test Partners.

“Every mobile app user was given the same hard-coded API Bearer Token,
rendering request authorization useless,” wrote the researchers in a blog
post published today.

The mistake allowed any user to access the personally identifiable
information (PII) belonging to another user. Other information exposed in
the incident included users’ shareholding details and bar discounts.

Researchers said that the details of over 200,000 shareholders “plus many
more customers” were exposed “for over 18 months.”

According to researchers, the token error left BrewDog vulnerable to theft,
who noted that shareholders could claim a free beer in the three days
before or after their birthday under the terms of the Equity for Punks
scheme.

“One would simply access an account with the required date of birth,
generate the QR code and the beers are on BrewDog!” wrote the researchers.

Pen Test Partners has criticized BrewDog’s handling of the cybersecurity
issue, claiming that “disclosure was rather fraught.”

“Instead of being ‘cool’ as we had hoped, given their reputation as being a
bit counter-culture, BrewDog instead declined to inform their shareholders
and asked not to be named,” said Pen Test.

The security consulting company added: “It took four failed fixes to
properly resolve the problem.”

Michael Isbitski, technical evangelist at Salt Security, told Infosecurity
Magazine: “BrewDog all but laid out customers’ private information on a
silver platter for attackers.”

Isbitski said that instead of using the dynamic, expiring authorization
tokens typically seen within a proper OAuth2 implementation, the brewer
used static authorization tokens, which were hardcoded within the
application source code.

“Those static tokens granted access to BrewDog’s back-end APIs, which
attackers could call directly to extract data,” said Isbitski.

“Additionally, BrewDog used account identifiers which could be easily
predicted, making it a trivial task for an attacker to enumerate through
user accounts and siphon PII.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211011/39ebfcbd/attachment.html>

More information about the BreachExchange mailing list