Brewer and pub chain BrewDog has updated its mobile app after ethical hackers uncovered a vulnerability that could potentially have exposed the personally identifiable information (PII) of about 200,000 of its Equity for Punks shareholders and many more customers, which has raised serious questions over how the app was coded and developed.
The data included names, dates of birth, email addresses, gender, delivery addresses, phone numbers, shareholder numbers, bar discount details and IDs, referrals made and beer buying history, and was accessible for at least 18 months.
The vulnerability was discovered by researchers at Pen Test Partners, a cyber security consultancy based in Buckinghamshire, who have now published their findings online.
According to the researchers, the source of the problem lay within the BrewDog mobile app, which was designed so that it gave every user the same hardcoded API bearer token – which are used to authenticate to APIs protected by OAuth 2.0, and would more usually and safely only be provided after a successful authentication request to allow a specific user’s device access.
By hardcoding these tokens, the app developers made it possible for a user to access other users’ data by appending a different customer ID to the end of the API endpoint URL. Effectively, this meant a malicious actor could have brute-forced customer IDs to download the entire database of BrewDog app users.
This would have allowed them not only to target drinkers with identity theft, cyber fraud and other digitally enabled crime, but also to defraud BrewDog itself by generating QR codes for discounts on bar bills, or to take unfair advantage of special offers, such as free beer on people’s birthdays, by altering the data.
Pen Test Partners and BrewDog both said there was no apparent evidence that the data had been accessed, but the researchers pointed out that because every request would come from a valid BrewDog account, it would be hard to prove their validity without a more thorough forensic investigation.
The researchers said the breach raised serious questions over apparent security flaws in the development process behind BrewDog’s app.
“It’s really odd that the static bearer token wasn’t spotted before,” they said. “Functional API testing should have revealed this issue, as would a thorough security review.
“These bearer tokens are not the only keys that are present in the BrewDog source code. It doesn’t take much effort to search for ‘bearer’ or ‘key’ and identify hard-coded tokens.”
The researchers added: “When the API was being designed, did they think they would need a bearer token pre-authentication for some reason? This design decision should have been identified by an internal security team that should have been involved at the start of the project.”
However, the researchers also claimed they had encountered serious difficulties in attempting to make a responsible disclosure to BrewDog, putting the data at risk for longer than need be, and casting further doubts on the firm’s security posture.
In their disclosure, they said they had struggled to get through to someone at the organisation empowered to assist, and that although the firm did take down the vulnerable API quickly, this impacted the app’s functionality and because it did not communicate what it had done or why, left users frustrated.
At the time of writing, Pen Test Partners said that as far as they were aware – a number of the firm’s staffers are shareholders and users of the app and uncovered their own data during the research – no communication about the incident has yet been made.
“I worked with BrewDog for a month and tested six different versions of their app for free,” said one of the Pen Test Partners’ researchers. “I’m left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure. I need a beer.”
A BrewDog spokesperson told Computer Weekly in a statement: “We were recently informed of a vulnerability in one of our apps by a third-party technical security services firm, following which we immediately took the app down and resolved the issue. We have not identified any other instances of access via this route or personal data having been impacted in any way. There was therefore no requirement to notify users.
“We are grateful to the third-party technical security services firm for alerting us to this vulnerability. We are totally committed to ensuring the security of our users’ privacy. Our security protocols and vulnerability assessments are always under review and always being refined, in order that we can ensure that the risk of a cyber security incident is minimised.”
OneLogin global data protection officer Niamh Muldoon said the incident was a valuable lesson in not only secure coding, but in the fundamentals of organisational security policy.
“Business leaders who do not understand that trust and security is a true business differentiator are likely to see an impact on their brand and business over the next couple of years if they haven’t already experienced it,” she said. “By 2023, 65% of the world’s population will have their personal data covered under modern privacy regulations, up from 10% in 2020.
“This problem must be addressed at every level of an organisation, including boardroom and executive management teams. There is a slight increase in trust and security expertise sitting at executive management and boardroom levels, but this is inconsistent across all industries and businesses. If a lack of representation at these levels continues, it will impact the trust and brand reputation associated with an organisation.”
Muldoon added: “Business leaders need to think of the operational controls that can be executed as part of the day-to-day operations to protect data and systems, as well as how they can use these control sets to create a high-performing team working with security and privacy organisations.”