BrewDog is said to have exposed the details of 200,000 of its “Equity for Punks” shareholders and customers for approximately 18 months following a flaw in the company’s mobile app.
A fault with the way BrewDog's mobile app handled token authentication, which resulted in tokens being hard-coded into the application rather that sent after a successful authentication request, meant hackers could have easily bypassed the check and accessed user information.
Security consultants at Pen Test Partners (PTP), who discovered the fault, found that every user of the mobile app was given the same hard-coded API Bearer Token, effectively nullifying the authentication check.
The researchers, several of whom happen to be BrewDog investors, found that they could append a different customer ID to the end of the API endpoint URL and access that customer’s information. This included their name, date of birth, email and delivery addresses, number of shares held, shareholder number, and bar discount amount.
“An attacker could brute force the customer IDs and download the entire database of customers,” said researchers at PTP, in a blog post. “Not only could this identify shareholders with the largest holdings along with their home address, it could also be used to generate a lifetime's supply of discount QR codes!”
They also found the first use of hard-coded tokens was introduced with version 2.5.5 of the app, released in March 2020, meaning the app has been potentially vulnerable for around 18 months.
Following an alert to BrewDog, the company released a new version of the app on 13 September. However, the researchers claim this still allowed attackers to download bar discount codes for all users.
A subsequent update then added the researchers to its beta programme to help it solve the issue. By 27 September a new version of the app was released, with PTP testing six different builds and giving the beer company feedback on each version for free.
“We were recently informed of a vulnerability in one of our apps by a third party technical security services firm, following which we immediately took the app down and resolved the issue. We have not identified any other instances of access via this route or personal data having been impacted in any way,” a BrewDog spokesperson told IT Pro. “There was therefore no requirement to notify users. We are grateful to the third party technical security services firm for alerting us to this vulnerability.”
In an email to PTP, posted on the research blog, BrewDog said that it has yet to find evidence in the logs that vulnerability has been exploited or that data has been exposed, although it was working to validate this conclusion.
The company also said that one of the factors in user notification is evidence of a breach as mandated by the ICO, adding that any user notification, if appropriate, would happen once the latest improvements are in place to limit further risk to its users.
It also asked PTP not to name the company in its blog post as it would expose its users to increased risk.
However, PTP has said it is unsure how BrewDog would have validated whether the vulnerability had been exploited.
"Every request will be coming from a valid account with a valid (but identical!) bearer token," the researchers said. "How therefore would they prove that the request was from the valid user and not from persons unknown?"
