Brewdog, one of the largest beer beer beer in the world, has been affected by personal information (PII) belonging to more than 200,000 shareholders and customers, according to Cybersecurity researchers.
Cybersecurity The Pentest Partner consultant company found that defects in the official Brewdog application, which lasted for more than 18 months, made it easy for anyone to access PII from other users.
In a detailed report, the Pentest Partner record that the mobile application is shared with a difficult fire code for the token carrier, which is effectively given useless authorization requests.
“Therefore trivial for every user to access every other PII user, share ownership, discount bar, and more,” the share of the researchers.
The researchers say that, thanks to disability, each user can add nopelinggues from other users to the Endpoint API URL to extract their PII and other details.
In addition to being destructive to users, defects may also have been used to harm influence the company because the leakage details can be used to produce a QR code to get discounts and even free beer.
Brewdog began using hard-codes with V2.5.5 applications, launched in March 2020, before finally patching defects in the release of v2.5.13 in September 2021.
Lack of alert?
Alarmingly, the company decided not to express the vulnerability of its users, even after it remained, it would so far to claim that nothing “was too interesting in this release”.
Furthermore, the Pentesting Partners said that, in the correspondence with the company, Brewdog claimed it did not find evidence of misused defects.
“We were recently told about vulnerabilities in one of our applications by third-party companies Technical security services, here are what we immediately took the application down and resolved the problem,” the company said in a statement.
“We have not identified other examples of access through this route or personal data that have been affected by any means. Therefore there is no requirement to notify the user.”
However, the researchers suggest that the nature of defects means harassment that will not be clear in the log, making identifying abuse is almost impossible.
While the company has asked the researchers not to mention their names in information disclosure, bleepingcomputers argue that Brewdog will be forced to inform data protection officers in the UK, because PII falls under the scope of general data protection (GDPR).
However, it does not seem to agree with the company. In a private forum post seen by Techradar Pro, the company told the shareholders was not obliged to report the incident to the Information Commissioner (ICO), according to the advice of an external expert.
“The ICO is very clear about this,” the company wrote. “We must notify when the user data has been entered at risk. Because this is a vulnerability report, and the only personal data accessed is that from third parties conducting an assessment, there is no requirement to notify.”
Brewdog also takes steps to prepare shareholders for reactions that may arise as a result of the discovery of bugs.
“Disclosure of vulnerabilities is an important part of the Cybersecurity landscape and is a common event. Many businesses invite this practice and offer of gifts to those who find problems. Unfortunately, after the negative press earlier this year, this incident can be seen by the public through a variety of lenses.”