BrewDog app flaw exposed data on 200,000 shareholders and customers, researchers claim

Researchers at Pen Test Partners say API token exploit could have allowed hackers to access personal information and account details

BrewDog is said to have exposed the details of 200,000 of its “Equity for Punks” shareholders and customers for approximately 18 months following a flaw in the company’s mobile app.

A fault with the way BrewDog's mobile app handled token authentication, which resulted in tokens being hard-coded into the application rather that sent after a successful authentication request, meant hackers could have easily bypassed the check and accessed user information. 

Security consultants at Pen Test Partners (PTP), who discovered the fault, found that every user of the mobile app was given the same hard-coded API Bearer Token, effectively nullifying the authentication check.

The researchers, several of whom happen to be BrewDog investors, found that they could append a different customer ID to the end of the API endpoint URL and access that customer’s information. This included their name, date of birth, email and delivery addresses, number of shares held, shareholder number, and bar discount amount.

“An attacker could brute force the customer IDs and download the entire database of customers,” said researchers at PTP, in a blog post. “Not only could this identify shareholders with the largest holdings along with their home address, it could also be used to generate a lifetime's supply of discount QR codes!”

They also found the first use of hard-coded tokens was introduced with version 2.5.5 of the app, released in March 2020, meaning the app has been potentially vulnerable for around 18 months.

Following an alert to BrewDog, the company released a new version of the app on 13 September. However, the researchers claim this still allowed attackers to download bar discount codes for all users.

A subsequent update then added the researchers to its beta programme to help it solve the issue. By 27 September a new version of the app was released, with PTP testing six different builds and giving the beer company feedback on each version for free.

“We were recently informed of a vulnerability in one of our apps by a third party technical security services firm, following which we immediately took the app down and resolved the issue. We have not identified any other instances of access via this route or personal data having been impacted in any way,” a BrewDog spokesperson told IT Pro. “There was therefore no requirement to notify users. We are grateful to the third party technical security services firm for alerting us to this vulnerability.”

In an email to PTP, posted on the research blog, BrewDog said that it has yet to find evidence in the logs that vulnerability has been exploited or that data has been exposed, although it was working to validate this conclusion. 

The company also said that one of the factors in user notification is evidence of a breach as mandated by the ICO, adding that any user notification, if appropriate, would happen once the latest improvements are in place to limit further risk to its users. 

It also asked PTP not to name the company in its blog post as it would expose its users to increased risk.

However, PTP has said it is unsure how BrewDog would have validated whether the vulnerability had been exploited.

"Every request will be coming from a valid account with a valid (but identical!) bearer token," the researchers said. "How therefore would they prove that the request was from the valid user and not from persons unknown?"

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Cleaning up legacy IT to drag big tobacco into the future
digital transformation

Cleaning up legacy IT to drag big tobacco into the future

12 Oct 2021