In an incident that suggests cases of arrested development, circa sophomore year, Sky News reports that a vulnerability in Scottish brewery and pub chain BrewDog’s mobile app gave hackers access to the details of over 200,000 of the company’s shareholders in its Equity for Punks program. As ZDNet details, the issue was linked to a user authentication error in which a hard-coded authentication token could be issued without the verification of user credentials. Bonus: Users are eligible for a free beer on their birthdays, so in addition to the data, the hackers could get a free pint. Computer Weekly adds that the researchers who discovered the breach had difficulties disclosing it to BrewDog, calling the company’s dedication to security into question. BrewDog has repaired the bug and did not find any evidence that the data had been tampered with.
Jason Kent, Hacker in Residence at Cequence Security, wrote that, unfortunately, APIs' bleeding in this way isn't that uncommon:
“API breaches that align with the OWASP API Top 10 aren't that uncommon anymore. In this case, simple enumeration of IDs while being authenticated via a hardcoded API Key, follows as well. Authentication and authorization issues are at the top of the list for a reason. Here you can see both issues lead to complete acquisition of the customer database, utilization and even things like "rewards" points can be utilized without the permission of the account owner. BrewDog's response is, unfortunately, very similar to our own experiences with reporting APIs bleeding out data in an uncontrolled manner. Dumping the entire customer database and having access to all of the information for an organization's customers shouldn't be ignored and is a great lesson to anyone with an API that wants to ensure its security.”
Yariv Shivek, VP of Product at Neosec, was also moved to write more in sadness than anger about how commonplace the errors the incident revealed have remained:
“Hardcoding API credentials (API keys, tokens, etc.) into mobile apps is sadly a common mistake. Mobile applications -- as well as single-page web applications (aka SPAs) -- run in untrusted client environments, environments under the (ab)user's control. Looking for API credentials in applications is easy, and when those credentials allow bypassing authentication or authorization, this can lead to data leaks and even complete account takeovers.”