Nearly 2 lakh BrewDod customers faced with personal information data breach
Courtesy image; The weekend edition
BrewDog, the Scottish brewery and pub chain known for its crowdfunding strategy and excellent IPAs, has exposed the personal information of 200,000 of its shareholders and customers irreversibly.
For more than 18 months, the company’s mobile application, which allows the âEquity Punksâ community to access information, offers in bars, etc., was at the origin of the violation, which lasted over 18 months.
The issue, according to a review by PenTestPartners, is with the app’s API, especially with its token-based authenticator.
The security flaw stems from the fact that these tokens were hard-coded into the mobile app rather than being sent to it after valid user authentication. Therefore, anyone can add any client ID to the API endpoint URL and access PII (Personally Identifiable Information) for that client.
Here are some of the details that could be revealed in this simple way:
Name, date of birth, gender, email address, all past delivery addresses, number of shares held (phone number), number of shareholders, amount of bar discount Bar discount ID – c ‘ is the number that is used to create the QR code and the total number of references already purchased of type beer.
Although these identifiers are not in any particular order, they follow standards that would be a preferable alternative to entering random numbers.
Besides the fact that anyone can access sensitive information about other users, shareholders and consumers of the BrewDog app, the consequences of this discovery also impacted the business. By creating QR codes from “loaded” accounts, a breach abuser can acquire an unlimited supply of free beer and discounts.
The bug has been around since March 2020, when version 2.5.5 of the BrewDog app introduced hard-coded tokens. Unfortunately, the BrewDog team was unaware of the weakness for a long time and failed to protect their token system in later versions.
Version 2.5.13, released on September 27, 2021, finally fixed the issue. However, in the changelog notice for this update, BrewDog chose not to reveal anything of significance.
According to the researcher, BrewDog downplayed the significance of his findings and repeatedly claimed that there was no evidence of a data breach. Even if the organization actively looked for indicators of a breach, there would be none due to the stealthy way this issue could be exploited.
BrewDog has not told its shareholders or consumers, to our knowledge, that their data may have been compromised. We have tried reaching out to them for comment, but have yet to receive a response.