Serviceteam IT Security News

Brewer’s Token Gaffe Causes Massive PII Breach

An authentication error left the personal data of hundreds of thousands of BrewDog customers and Equity for Punks shareholders exposed for a year and a half. 

The gaffe involving an API bearer token was discovered by researchers at security consulting and testing company Pen Test Partners

"Every mobile app user was given the same hard-coded API Bearer Token, rendering request authorization useless," wrote the researchers in a blog post published today.

The mistake allowed any user to access the personal identifiable information (PII) belonging to another user. Other information exposed in the incident included users' shareholding details and bar discount.

Researchers said that the details of over 200,000 shareholders "plus many more customers" were exposed "for over 18 months."

The token error left BrewDog vulnerable to theft, according to researchers, who noted that shareholders can claim a free beer in the three days before or after their birthday under the terms of the Equity for Punks scheme. 

"One would simply access an account with the required date of birth, generate the QR code and the beers are on BrewDog!" wrote the researchers.

Pen Test Partners has criticized BrewDog's handling of the cybersecurity issue, claiming that "disclosure was rather fraught."

"Instead of being ‘cool’ as we had hoped, given their reputation as being a bit counter-culture, BrewDog instead declined to inform their shareholders and asked not to be named," said Pen Test.

The security consulting company added: "It took four failed fixes to properly resolve the problem."

Michael Isbitski, technical evangelist at Salt Security, told Infosecurity Magazine: "BrewDog all but laid out customers’ private information on a silver platter for attackers.”

Isbitski said that instead of using the kind of dynamic, expiring authorization tokens typically seen within a proper OAuth2 implementation, the brewer used static authorization tokens, which were hard coded within the application source code. 

"Those static tokens granted access to BrewDog’s back-end APIs, which attackers could call directly to extract data," said Isbitski. 

"Additionally, BrewDog used account identifiers which could be easily predicted, making it a trivial task for an attacker to enumerate through user accounts and siphon PII."

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply