A flaw in brewery chain BrewDog’s mobile app could have exposed more than 200,000 shareholders’ and customers’ personal information – as well as letting hackers steal beer, if they so desired.
Researchers at cyber security consultancy firm PenTest Partners, who discovered the vulnerability, said the data had been accessible for more than 18 months.
It included names, dates of birth, email and delivery addresses, contact numbers, shareholdings and more.
The flaw was traced back to a weakness in the way API Bearer Tokens were assigned. Most mobile apps are built on APIs, with an OS front-end that calls those API endpoints. APIs are normally protected with some form of authentication, and Bearer Tokens are the most common way of authenticating to APIs protected by OAuth 2.0.
‘Generally, there is an authentication process where a user submits their credentials, and a bearer token is returned which permits access to the endpoints in the context of that user,’ PenTest Partners wrote. Due to their sensitivity, these tokens should only be provided after a successful authentication request, but whoever designed the BrewDog app instead hard-coded them in.
‘Every mobile app user was given the same hard-coded API Bearer Token, rendering request authorisation useless,’ the researchers wrote, adding that it would have been trivial for any user to access other users’ PII, bar discount, shareholding, and other details.
‘But, best of all, shareholders get a free beer on the three days before or after their birthday under the terms of the Equity for Punks scheme.
‘One would simply access an account with the required date of birth, generate the QR code and the beers are on BrewDog!’
BrewDog began using hard-coded tokens with v2.5.5 of its mobile app, released in March 2020.
It finally addressed the issue with the release of v2.5.13 last month. However, it took four failed fixes to properly address the issue, according to PenTest Partners, and neglected to notify its users of the issue, even after it was fixed.
BrewDog told Sky News that it found no evidence to suggest that hackers had stolen shareholder data.
‘We have not identified any other instances of access via this route or personal data having been impacted in any way. There was, therefore, no requirement to notify users,’ it said.
The company also claimed that it was not required to report the security incident to the Information Commissioner’s Office (ICO), as users’ data was not put at risk.
‘The ICO is very clear on this,’ it said.
‘We have to notify when users’ data has been put at risk. As this was a vulnerability report, and the only personal data that was accessed was that of the third party conducting the assessment, there is no requirement to notify.’
While BrewDog claims there is no evidence to suggest any data was stolen, the company should still examine whether any unauthorised persons accessed the information.
‘Whilst BrewDog say that they can’t currently see any evidence of that, we’re not quite sure how they would validate this: every request will be coming from a valid account with a valid (but identical!) bearer token,’ the researchers noted.
‘How therefore would they prove that the request was from the valid user and not from persons unknown?
‘It will need a very thorough forensic investigation to prove for certain that a breach hasn’t occurred.’