An authentication error left the personal data of hundreds of thousands of BrewDog customers and Equity for Punks shareholders exposed for a year and a half.
The gaffe involving an API bearer token was discovered by researchers at security consulting and testing company Pen Test Partners.
“Every mobile app user was given the same hard-coded API Bearer Token, rendering request authorization useless,” wrote the researchers in a blog post published today.
The mistake allowed any user to access the personally identifiable information (PII) belonging to another user. Other information exposed in the incident included users’ shareholding details and bar discounts.
Researchers said that the details of over 200,000 shareholders “plus many more customers” were exposed “for over 18 months.”
According to researchers, the token error left BrewDog vulnerable to theft, who noted that shareholders could claim a free beer in the three days before or after their birthday under the terms of the Equity for Punks scheme.
“One would simply access an account with the required date of birth, generate the QR code and the beers are on BrewDog!” wrote the researchers.
Pen Test Partners has criticized BrewDog’s handling of the cybersecurity issue, claiming that “disclosure was rather fraught.”
“Instead of being ‘cool’ as we had hoped, given their reputation as being a bit counter-culture, BrewDog instead declined to inform their shareholders and asked not to be named,” said Pen Test.
The security consulting company added: “It took four failed fixes to properly resolve the problem.”
Michael Isbitski, technical evangelist at Salt Security, told Infosecurity Magazine: “BrewDog all but laid out customers’ private information on a silver platter for attackers.”
Isbitski said that instead of using the dynamic, expiring authorization tokens typically seen within a proper OAuth2 implementation, the brewer used static authorization tokens, which were hardcoded within the application source code.
“Those static tokens granted access to BrewDog’s back-end APIs, which attackers could call directly to extract data,” said Isbitski.
“Additionally, BrewDog used account identifiers which could be easily predicted, making it a trivial task for an attacker to enumerate through user accounts and siphon PII.”