BrewDog Exposes Data of 200,000 Customers and Shareholders

An anonymous reader quotes a report from TechRadar: BrewDog, one of the world's largest craft beer brewers, has exposed personally identifiable information (PII) belonging to more than 200,000 of its shareholders and customers, according to cybersecurity researchers. Cybersecurity consulting firm PenTest Partners discovered that a flaw in the official BrewDog app, which persisted for more than 18 months, made it easy for anyone to access the PII of other users. In its detailed report, PenTest Partners notes that the mobile app doled out the same hard coded API Bearer Token, which effectively rendered request authorization useless. The researchers say that, thanks to the flaw, any user could append the customerID of another user to the API endpoint URL to extract their PII and other details. In addition to being damaging to the user, the flaw could've also been used to adversely affect the company since the leaked details could've been used to generate QR codes to get discounted and even free beers. BrewDog started using hard-coded tokens with v2.5.5 of its app, launched in March 2020, before finally patching the flaw in v2.5.13 release in September 2021.

Screw free credit monitoring.

[bobstreo]

I want free beer for a year.

Develop (hic) Develop (hic) Developers!

[gosso920]

Were the developers drunk when they wrote the app? Don't drink and code, guys.

Re:

[dromgodis]

Or make sure to hit the Ballmer peak. https://xkcd.com/323/ [xkcd.com]

No shit

[quonset]

a flaw in the official BrewDog app

This is exactly why I do not own a "smart" phone. Relying on programmers to create something useful and safe is an anachronism, especially when it comes to selling. Pick any company which has an "app" and you are guaranteed to find something similar. This on top of them tracking what you do.

Just say no to "apps". Fuck the companies.

Re:

[thegarbz]

This is exactly why I do not own a "smart" phone. Relying on programmers to create something useful and safe is an anachronism

he exclaimed with conviction while using a highly complicated piece of electronics running millions of lines of code while also connected to a global computer network.

Re:

[drinkypoo]

You can have a smartphone without using third party apps. Of course, some companies don't have websites which do what an app does. Fuck 'em.

I am always super irritated when something requires an app, and do my best to avoid it. And right now I'm using a phone without play services or a substitute, so I can't run most apps on the play store anyway... web interface or GTFO

wat

[drinkypoo]

BrewDog, one of the world's largest craft beer brewers

Then why have I never heard of them or of literally any of their products, even though I've gone to literally dozens of beer festivals?

How does "world's largest" fit to "craft"?

[ffkom]

Excuse my ignorance, but my understanding was that "craft beer" means a kind of beer that is brewed in small quantities, and often at the same location where it is sold and consumed. "World's largest" sounds more like "industrial beer production, far from any craft".

Re:

[drinkypoo]

It doesn't mean anything really. It vaguely means handcrafted, but all beer features human intervention from brewmasters, even giant-tank beers like buttwiper. If it means anything of substance, it's "independently owned".