A flaw in the brewery chain BrewDog’s mobile app could reveal the personal information of more than 200,000 shareholders and customers, allowing hackers to steal beer if needed.
Researchers at PenTest Partners, a cybersecurity consultancy that discovered the vulnerability, said the data was accessible for more than 18 months.
This included name, date of birth, email and shipping address, contact number, shareholding, and more.
This flaw goes back to the weaknesses of how API bearer tokens are assigned. Most mobile apps are built on APIs and have an OS frontend that calls those API endpoints. APIs are usually protected by some form of authentication, and bearer tokens are the most common way to authenticate APIs that are protected by OAuth 2.0.
“Generally, there is an authentication process that returns a bearer token that allows a user to send credentials and allow access to the endpoint in that user’s context,” PenTest Partners wrote. These tokens are sensitive and should only be provided after a successful authentication request, but the person who designed the BrewDog app hard-codes the tokens instead.
“All mobile app users were given the same hard-coded API bearer token, which made request approval useless,” the researchers write. He added that it was easy to access other users’ PII, bar discounts, stock holdings and more. detail.
“But above all, shareholders get free beer three days before and after their birthday, under the terms of the Equity for Punks scheme.
“Just access your account with the required date of birth and generate a QR code and the beer is in BrewDog!”
BrewDog began using hard-coded tokens in v2.5.5, a mobile app released in March 2020.
We finally addressed the issue with the release of v2.5.13 last month. However, according to PenTest Partners, four fixes failed to properly address the issue and failed to notify the user of the issue after the fix.
Brewdog said Sky news No evidence was found suggesting that the hacker stole shareholder data.
“We haven’t identified any other instances of access through this route or any affected personal data, so we didn’t need to notify the user,” he said.
The company also argued that it was not necessary to report a security incident to the Information Commissioner’s Office (ICO) because the user’s data was not compromised.
“The ICO is very clear about this,” he said.
“We need to notify you when your data is compromised. This is a vulnerability report and we will notify you because the only personal data accessed was the data of the third party who performed the assessment. No need to.
BrewDog claims that there is no evidence that the data has been stolen, but it is necessary to investigate whether unauthorized persons have access to the information.
“BrewDog says we can’t see the evidence right now, but I’m not sure how to verify this. All requests are valid accounts with valid (but identical) bearer tokens. Will be sent from, “the researchers pointed out.
“Therefore, how do they prove that the request is from a valid user, not an unknown person?”
“A very thorough forensic investigation is required to ensure that no violations have occurred.”