BrewDog, the Scottish brewery and pub chain known for its crowd-funding approach and delicious IPAs, has irreversibly exposed the personal information of 200,000 of its shareholders and customers.
The breach lasted for more than 18 months, and the source was the firm’s mobile app. It provides information, discounts at bars, and other benefits to the ‘Equity Punks’ group.
According to a PenTestPartners report, the issue is with the app’s API, especially with its token-based authentication method. The vulnerability arises from the fact that these tokens were hard-coded into the mobile app rather than sent to it after successful user authentication.
As a result, anyone may attach any customer ID to the API endpoint URL and get access to that customer’s sensitive PII (Personally Identifiable Information). The following details may be revealed:
- Name
- Gender
- Date of Birth
- Email address
- Telephone number
- Number of shares owned
- Shareholder number
- Bar discount amount
- Bar discount ID
- Number of referrals
- Any or all prior delivery addresses
- Type of beer previously bought
While these IDs aren’t in any particular order, they follow a method that would be a preferable alternative to inputting random numbers.
Aside from the fact that anybody may see other app users’ personal information, the ramifications of this discovery affect BrewDog’s stockholders and customers, and the firm itself. This flaw may be abused to create QR codes from “loaded” accounts and get an infinite supply of free beer and discounts.
This vulnerability was discovered in March 2020. Although BrewDog’s team was promptly notified of the facts, they failed to protect their token system on many subsequent releases.
The problem was eventually fixed in version 2.5.13, which was recently released on September 27, 2021. It’s unclear whether BrewDog has alerted its shareholders and consumers that their data may have been compromised.
The firm will also have to notify the UK’s data protection officer due to the type of exposed data since PII comes under GDPR, and it is still in effect in the nation.