Image courtesy; The Weekend Edition
BrewDog, the Scottish brewing and pub chain known for its crowd-funding strategy and excellent IPAs, has exposed the personal information of 200,000 of its shareholders and customers in an irreversible manner.
For over 18 months the company’s mobile app, which allows the ‘Equity Punks’ community access to information, deals at bars, and more, was the source of the breach, which lasted over 18 months.
The issue, according to a PenTestPartners assessment, is with the app’s API, notably with its token-based authenticator.
The security flaw stems from the fact that these tokens were hard-coded into the mobile app rather than being sent to it after a valid user authentication.As a result, anyone might append any customer ID to the API endpoint URL and gain access to sensitive PII (personally identifiable information) for that customer.
The following are some of the details that could be revealed in this straightforward manner:
Name, birth date, gender, email address, any and all past delivery addresses, number of shares held (phone number), Number of stockholders, bar discount amount Bar discount ID – this is the number that is used to make the QR code and the total number of referrals already purchased beer kind.
While these IDs aren’t in any particular order, they do follow the standards that would be a preferable alternative to entering random numbers.
Apart from the fact that anyone may access sensitive information about other BrewDog app users, stockholders, and consumers, the consequences of this discovery also impacted the company. By creating QR codes from “laden” accounts, an abuser of the flaw may acquire a limitless supply of free beer and discounts.
The bug has existed since March 2020, when BrewDog’s app version 2.5.5 introduced hard-coded tokens. Unfortunately, the BrewDog team was unaware of the weakness for a long time and failed to protect their token system in later releases.
Version 2.5.13, which was released on September 27, 2021, eventually fixed the problem. However, in the changelog notice for that update, BrewDog elected not to reveal anything significant.
According to the researcher, BrewDog minimised the significance of his findings and repeatedly claimed that there was no proof of a data breach. Even if the organisation was actively seeking for indicators of a breach, there would be none due to the stealthy manner in which this issue might be exploited.
BrewDog has not told its shareholders or consumers, to our knowledge, that their data may have been compromised. We attempted to contact them for comment but have yet to receive a response.