According to PenTestPartners, BrewDog "declined to inform their shareholders and asked not to be named" in the research revealing the security flaw.
On October 8, the cybersecurity firm said that the Scottish brewery implemented a hard-coded Bearer authentication token associated with API endpoints designed for BrewDog's mobile applications.
The tokens were returned, but rather than being triggered once a user has submitted their credentials -- therefore, allowing access to an endpoint -- as they were hardcoded, this verification step was missed.
PenTestPartners members, who happened to be BrewDog shareholders, appended each other's customer IDs at the end of API endpoint URLs. During tests, they found they were able to access the PII of Equity for Punks shareholders without a suitable authentication challenge.
Names, dates of birth, email addresses, genders, telephone numbers, previously used delivery addresses, shareholder numbers, shares held, referrals, and more were accessible. However, the customer IDs were not considered "sequential."
"An attacker could brute force the customer IDs and download the entire database of customers," the researchers said. "Not only could this identify shareholders with the largest holdings along with their home address, but it could also be used to generate a lifetimes supply of discount QR codes!"
PenTestPartners noted that some of the PII exposed would fall under the GDPR protection banner, and hard-coding authentication tokens is a failure to meet these standards.
Based on an analysis of older versions of the BrewDog app, the researchers say that the security issue was introduced in version 2.5.5, released in March 2020, and was not resolved for roughly 18 months.
After PenTestPartners reached out with its findings, researcher Alan Monie tested a total of six different builds. It took four fix attempts before the issue was resolved in version 2.5.13, released on September 27.
However, the changelog for this version does not appear to mention the vulnerability fix.
"The vulnerability is fixed," the researcher says. "As far as I know, BrewDog has not alerted their customers and shareholders that their personal details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I'm left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure."
Speaking to ZDNet, a BrewDog spokesperson provided the following statement:
"We were recently informed of a vulnerability in one of our apps by a third party technical security services firm, following which we immediately took the app down and resolved the issue. We have not identified any other instances of access via this route or personal data having been impacted in any way. There was, therefore, no requirement to notify users.
We are grateful to the third-party technical security services firm for alerting us to this vulnerability. We are totally committed to ensuring the security of our user's privacy. Our security protocols and vulnerability assessments are always under review and always being refined in order that we can ensure that the risk of a cyber security incident is minimized."
BrewDog also told us:
"BrewDog was notified of a vulnerability and the potential for data to be compromised. Investigations found no evidence that it was. Therefore there is no requirement to inform the ICO. An independent party documented the case as is required by the ICO."