Craft beer specialist Brewdog fixes serious app vulnerability
Vulnerability in brewer’s mobile app might perchance perhaps perhaps need resulted in serious consequences for its shareholders and prospects
Brewer and pub chain BrewDog has updated its mobile app after ethical hackers uncovered a vulnerability that will perhaps perhaps perhaps potentially have exposed the for my half identifiable recordsdata (PII) of about 200,000 of its Equity for Punks shareholders and a range of extra prospects, which has raised serious questions over how the app became once coded and developed.
The guidelines integrated names, dates of initiating, electronic mail addresses, gender, provide addresses, mobile phone numbers, shareholder numbers, bar low cost diminutive print and IDs, referrals made and beer shopping for historical past, and became once accessible for no no longer up to 18 months.
The vulnerability became once came upon by researchers at Pen Take a look at Partners, a cyber security consultancy primarily based totally in Buckinghamshire, who’ve now revealed their findings online.
In maintaining with the researchers, the source of the articulate lay contained in the BrewDog mobile app, which became once designed in tell that it gave every client the identical hardcoded API bearer token – which would perchance perhaps perhaps perchance be outdated to authenticate to APIs protected by OAuth 2.0, and would extra most regularly and safely simplest be offered after a successful authentication anticipate to enable a explicit client’s tool salvage admission to.
By hardcoding these tokens, the app builders made it that it is in all probability you’ll perhaps perhaps perchance be yell for a shopper to salvage admission to other customers’ recordsdata by appending a assorted customer ID to the pause of the API endpoint URL. Effectively, this intended a malicious actor might perchance perhaps perhaps need brute-pressured customer IDs to download the total database of BrewDog app customers.
This would perchance have allowed them no longer simplest to heart of attention on drinkers with identity theft, cyber fraud and other digitally enabled crime, but moreover to defraud BrewDog itself by producing QR codes for reductions on bar funds, or to utilize unfair just correct thing about special gives, such as free beer on of us’s birthdays, by altering the knowledge.
Pen Take a look at Partners and BrewDog both stated there became once no apparent proof that the knowledge had been accessed, however the researchers identified that due to every anticipate would near from a true BrewDog story, it’d be laborious to show camouflage their validity with out a extra thorough forensic investigation.
The researchers stated the breach raised serious questions over apparent security flaws in the event direction of in the succor of BrewDog’s app.
“It’s actually irregular that the static bearer token wasn’t spotted before,” they stated. “Functional API checking out must have revealed this articulate, as would an intensive security overview.
“These bearer tokens are no longer the finest keys which would perchance perhaps perhaps perchance be speak in the BrewDog source code. It doesn’t utilize worthy effort to gaze for ‘bearer’ or ‘key’ and title laborious-coded tokens.”
The researchers added: “When the API became once being designed, did they judge they would want a bearer token pre-authentication for some cause? This form possibility must were identified by an inner security crew that must were eager at the initiate of the mission.”
Nonetheless, the researchers moreover claimed they had encountered serious difficulties in attempting to manufacture a guilty disclosure to BrewDog, hanging the knowledge at possibility for longer than need be, and casting additional doubts on the firm’s security posture.
In their disclosure, they stated they had struggled to salvage via to any individual at the organisation empowered to succor, and that even if the firm did utilize down the prone API fleet, this impacted the app’s functionality and due to it did no longer be in contact what it had completed or why, left customers frustrated.
On the time of writing, Pen Take a look at Partners stated that as a long way as they were conscious – a range of the firm’s staffers are shareholders and customers of the app and uncovered their earn recordsdata in the future of the study – no conversation about the incident has but been made.
“I worked with BrewDog for a month and tested six assorted variations of their app totally free,” stated in all probability the most Pen Take a look at Partners’ researchers. “I’m left a puny upset by BrewDog both as a customer, a shareholder, and the methodology they spoke back to the safety disclosure. I want a beer.”
A BrewDog spokesperson instructed Laptop Weekly in an announcement: “We were no longer too lengthy prior to now informed of a vulnerability in a single of our apps by a third-social gathering technical security services firm, following which we straight took the app down and resolved the articulate. We have no longer identified any other instances of salvage admission to via this route or inner most recordsdata having been impacted in any methodology. There became once therefore no requirement to declare customers.
“We’re grateful to the third-social gathering technical security services firm for alerting us to this vulnerability. We’re totally committed to making certain the safety of our customers’ privateness. Our security protocols and vulnerability assessments are continually under overview and continually being sophisticated, in present that we might perchance perhaps perhaps moreover merely be certain that the possibility of a cyber security incident is minimised.”
OneLogin global recordsdata security officer Niamh Muldoon stated the incident became once a precious lesson in no longer simplest stable coding, but in the basics of organisational security coverage.
“Enterprise leaders who attain no longer impress that belief and security is a factual industry differentiator are inclined to leer an affect on their sign and industry over the following couple of years in the occasion that they haven’t already experienced it,” she stated. “By 2023, 65% of the sphere’s population will have their inner most recordsdata covered under unusual privateness rules, up from 10% in 2020.
“This articulate must be addressed at every level of an organisation, including boardroom and govt administration teams. There’s a itsy-bitsy enhance in belief and security skills sitting at govt administration and boardroom phases, but right here’s inconsistent across all industries and businesses. If a lack of representation at these phases continues, this can affect the belief and sign status connected to an organisation.”
Muldoon added: “Enterprise leaders need to judge about the operational controls that can be done as phase of the day-to-day operations to provide protection to recordsdata and programs, as properly as how they are able to speak these retain an eye on sets to create a excessive-performing crew working with security and privateness organisations.”
Read extra on Application security and coding requirements
![]()
Evaluate API keys vs. tokens for salvage admission to administration
By: Clive Longbottom
![]()
Keycloak tutorial: Easy tricks on how to stable assorted utility forms
By: Kyle Johnson
![]()
Cell app security finest practices for 4 vulnerability forms
By: Matthew Grasberger
![]()
Have a Energy Automate go the speak of the Graph API
By: Adam Bertram
