BrewDog exposes data of 200,000 customers and shareholders

(Image credit: Shutterstock/dalebor)

BrewDog, one of the macrocosm's largest craft beer brewers, has exposed personally identifiable information (PII) belonging to more than than 200,000 of its shareholders and customers, according to cybersecurity researchers.

Cybersecurity consulting stable PenTest Partners discovered that a fault in the official BrewDog app, which persisted for more than 18 months, ready-made it easy for anyone to access the PII of other users.

In its detailed report, PenTest Partners notes that the mobile app distributed the same hard coded API Bearer Keepsake, which effectively rendered asking authority unavailing.

Carapace yourself with these best identity thieving protection services
Here's our choice of the best malware removal software on the market
These are the topper ransomware tribute tools

"It was thence trivial for whatsoever drug user to entree some other user's PII, shareholding, ginmill discount, and more," part the researchers.

The researchers say that, thanks to the flaw, whatever user could append the customerID of other drug user to the API endpoint URL to extract their PII and other details.

In addition to being damaging to the user, the flaw could've likewise been used to adversely affect the company since the leaked details could've been wont to generate QR codes to receive discounted and flatbottom free beers.

BrewDog started using hard-coded tokens with v2.5.5 of its app, launched in March 2020, before lastly patching the flaw in v2.5.13 press release in September 2021.

Lack of alerts?

Worryingly, the accompany decided non to break the vulnerability to its users, even after IT was fixed, going as far as to claim that in that respect wasn't anything "too exciting in this release".

Furthermore, PenTesting Partners says that, in its correspondence with the company, BrewDog claimed it found nary evidence of the flaw being abused.

"We were recently informed of a vulnerability in cardinal of our apps by a third party specialized security services stable, following which we immediately took the app down and resolved the effect," said the firm in a statement.

"We get not known whatsoever former instances of access via this itinerary OR personal data having been wedged in whatsoever way. There was hence no necessary to apprise users."

However, the researchers hint that the nature of the flaw means its abuse wouldn't deliver been apparent in the logs, qualification characteristic misuse virtually impossible.

Spell the company had asked the researchers not to name them in its disclosure, BleepingComputer contends that BrewDog will be forced to inform the UK's data protection officer, since PII falls below the purview of the General Data Protection Rule (GDPR).

Nonetheless, IT appears the keep company disagrees. In a nonpublic forum post seen by TechRadar Pro, the company told shareholders it is under zero obligation to report card the omissible to the Information Commissioner's Office (ICO), as per the advice of an foreign good.

"The ICO is very unsubtle on this," the company wrote. "We have to notify when users' data has been put at risk. As this was a exposure report, and the sole subjective data that was accessed was that of the fractional party conducting the assessment, there is no requirement to notify."

BrewDog besides took steps to organize shareholders for a rebound that Crataegus oxycantha arise as a result of the bug discovery.

"Vulnerability disclosure is a Florida key part of the cybersecurity landscape and is a common occurrence. Many businesses invite this practice and offer bounties to those who find issues. Unfortunately, favourable the negative press earlier this year, this occurrence may be viewed publicly through a different lens."

TechRadar Pro has contacted BrewDog for point out.

Update:
BrewDog has since provided us with the next command:

"We are grateful to the third party technical security services firm for alerting us to this vulnerability. We are totally committed to ensuring the security of our drug user's privacy. Our security protocols and vulnerability assessments are forever under recapitulation and always beingness refined, in order that we can ensure that the risk of a cyber security incident is decreased."

Protect your devices with these superior antivirus computer software

Via BleepingComputer

With almost two decades of writing and reporting on Linux, Mayank Sharma would ilk everyone to imagine he's TechRadar Pro's expert on the topic. Of course, He's just as involved in other computing topics, particularly cybersecurity, obscure, containers, and coding.