#EpicFail : BrewDog App Vulnerability Exposes Data On 200k Shareholders To Anyone

New research from PenTestPartners shows Scottish brewery BrewDog exposed data of over 200,000 shareholders a year by hardcoding authentication tokens associated with their API endpoints designed for BrewDog’s mobile application. Here’s the scope of this #EpicFail:

  • BrewDog exposed the details of over 200,000 ‘Equity for Punks’ shareholders for over 18 months plus many more customers
  • Every mobile app user was given the same hard coded API Bearer Token, rendering request authorisation useless
  • It was therefore trivial for any user to access any other user’s PII, shareholding, bar discount, and more
  • Disclosure was rather fraught. Instead of being ‘cool’ as we had hoped, given their reputation as being a bit counter-culture, BrewDog instead declined to inform their shareholders and asked not to be named. It took 4 failed fixes to properly resolve the problem.
  • It’s public knowledge that BrewDog are considering an IPO. We are concerned for future investors if BrewDog’s wider approach to security and disclosure is this weak.
  • But, best of all, shareholders get a free beer on the 3 days before or after their birthday under the terms of the Equity for Punks scheme. One would simply access an account with the required date of birth, generate the QR code and the beers are on BrewDog!

And how BrewDog handed this is even more of an #EpicFail:

It took several days for BrewDog to respond properly, which was a fail in itself. We had to escalate via LinkedIn, as their social media team didn’t know what to do with the report.

Top tip: A company who puts out an app should have a clear means to allow vulnerability reports to reach the right people. These clowns didn’t. Another #EpicFail. And while they did get the issue fixed…. eventually, there was this:

The vulnerability is fixed. As far as I know, BrewDog have not alerted their customers and shareholders that their personal details were left unprotected on the internet.

And what makes this really bad is that it isn’t clear if this vulnerability was exploited. This is wrong on so many levels and reflects poorly on BrewDog.

Yariv Shivek, VP of Product, Neosec had this to say about said #EpicFail:

“Hardcoding API credentials (API keys, tokens, etc.) into mobile apps is sadly a common mistake. Mobile applications — as well as single-page web applications (aka SPAs) — run in untrusted client environments, environments under the (ab)user’s control. Looking for API credentials in applications is easy, and when those credentials allow bypassing authentication or authorization, this can lead to data leaks and even complete account takeovers.”

“Secure coding and client-based security controls can and should be employed to prevent these things from happening. But as with all things, prioritization is key, and prioritization relies on knowing which API endpoints pass sensitive data, the types of sensitive data being passed, as well as what each service and endpoint’s risk posture is. This knowledge is actually at most organizations’ fingertips — in the form of unmined logs.”

Hopefully BrewDog suffers some repetitional damage from this #EpicFail as this coding decision and the response to it is completely unacceptable.

Leave a Reply

%d bloggers like this: