Pen Test Partners shared the news that BrewDog exposed the details of more than 200,000' Equity for Punks' shareholders for over 18 months, along with many more customers.
During this time, every mobile app user was given the same hard-coded API Bearer Token, rendering request authorization useless and making it possible for any user to access any other user's PII, shareholding, bar discount, and more. BrewDog did not inform shareholders or customers of this breach of privacy until too much time had passed.
Pen Test Partners researchers could easily retrieve data on customers, including:
- Name
- Date of Birth
- Email address
- Gender
- All previously used delivery addresses
- Telephone number
- Number of shares held
- Shareholder number
- Bar discount amount
- Bar discount ID – used to create the QR code
- Number of referrals
- Type of beer previously purchased
An attacker could brute force the customer IDs and download the entire database of customers, the researchers say, which could lead attackers to identify shareholders with the largest holdings and their home addresses and be used to generate a lifetimes supply of discount QR codes as well.
Michael Isbitski, Technical Evangelist at Salt Security, a Palo Alto, Calif.-based provider of API security, says, "BrewDog did not use dynamic, expiring authorization tokens, such as what you might see within a proper OAuth2 implementation. Instead, the company used static authorization tokens, which were hard coded within the application source code. Those static tokens granted access to BrewDog's back-end APIs, which attackers could call directly to extract data. Mobile binaries are easily reverse engineered where such static tokens can be extracted. Additionally, BrewDog used account identifiers that could be easily predicted, making it a trivial task for an attacker to enumerate through user accounts and siphon PII."
Isbitski says the incident is a perfect example of over-confidence in access control as a sole strategy for API security. "The devil is in the details of authentication and authorization, and organizations often implement access controls improperly. Such poorly coded APIs and mobile front end often pass security audits and application scans since the mere presence of an authorization header can give the illusion of proper access control. Testing API access controls thoroughly, such as making sure authentication and authorization tokens are dynamic and expire after sufficient time intervals, is often out of scope for quick manual inspections and most scanning tools.
The incident also highlights the dangers of broken authentication and broken authorization (BOLA) since BrewDog also did not use sufficient randomness to differentiate customer identifiers, he adds. "BrewDog all but laid out customers' private information on a silver platter for attackers."