A similar flaw exists in the Denny's Canada app. Reveals usernames, email, full name and phone number. The API is entirely unauthenticated and account hijacking is very easy. The app is used for reward points that grant you free meals.
I tried reaching out to them multiple times and was ignored. I tried contacting the firm that developed the app, and they ignored me. Maybe I should have made a pastebin dump :)
Hey, I work at Symantec Research Labs. If you still have not been able to get this looked at by someone from Denny's, I can probably have the right people take a look.
e-mail me at daniel_kats [at] symantec [dot] com
EDIT: please do not post your method publicly. That is a bad idea.
API seems to be down for maintenance. Nice to see Panera is taking action, sad to hear that this seems to be way, way after the original vulnerability was reported.
There whole system seemed a bit odd to me, given a password to your "account" is optional. Using the terminal you can login with no password, then at the end it asks you if you want to save your credit card to your account. Maybe it requires a password at that point, but I wasn't going to try.
For non-Americans and as their page is down: What kind of accounts do you have at such a company? I never had an account with a restaurant, why would you use that and store personal information there?
I’m American but I have made accounts with restaurants to order for pickup (or delivery). It’s especially helpful if you eat in an a busy area with long lunch lines. It’s also less error prone having the order in written form than trying to order over the phone. I think most restaurants use a vendor like Yelp for their ordering service, but I guess some big ones like Panera can afford to build one themselves (poorly).
Oh boy. I just verified this with a few phone numbers of folks that I know personally, and their personal data came back just fine. This isn't good! I hope it's patched ASAP.
That's exactly what you should do when you see a vulnerability. "Internet" "businesses" has proven that they don't understand kind words. Take all those lawsuits, or promises thereof, and shove.
Do this until they plead mercy. Are they? No they aren't yet!
If in doubt, put a catputer photo. Cats always look fabulous.
Update: It seems that error-cat has gone now. In resume, anybody could download a list of all people eating at this restaurants, their telephones, addresses, pastry preferences and last four numbers of their credit cards. Am I right? It seems that entering a single telephone they obtain a dozen of diferent users. Is a sort of wildcard or something?.
Wouldn't be much better to talk with Panera Bread directly?
Why would you assume a security researcher who put in that much effort and kept the pastebin mostly anonymous didn't put in the effort to contact Panera Bread?
Is there a reason you automatically assume that the security researcher is irresponsible, but companies, who almost daily, have data breaches, are responsible in these scenarios?
"Hey, maybe you should contact the company?!" Thank you captain fucking obvious.
Because there is not data that specifies the opposite in the link (and extra info was lacking when I wrote it), thus is a reasonable and logical first thing to check.
> Is there a reason you automatically assume that the security researcher is irresponsible...?
Please, don't put words in my mouth. I didn't called irresponsible anybody and I didn't automatically assume anything. To be honest, I couldn't care less about who, if one, has the responsibility here. I'm trying to learn something. Not more, not less.
Captain fucking obvious is a nice title. We'll have a safer world when people start paying notice to a lot of fucking obvious and boring things. This reminds me a lot to the outrageous lexNET case (that was much, much, worse than internet knowing who has a sweet tooth for buns).
Apparently he tried talking with Panera directly. First contact was 6 months ago. The vulnerability still exists so he decided to release it publically. I think that's reasonable.
It wasn't fixed immediately after release. Apparently all they did at first was:
1.) Take down site for 2 hours
2.) Require logins to access api.
3.) Get on fox news and say it's "fixed"
...
then we come to find out you can still access all data from the API once you login
I certainly have a few open reports to companies that I've been trying to reach for, in several cases, _years_. Or, in other cases, I found something but trying to reach the right person is nigh impossible. security@ bounces, general support is useless, no one responds on linkedin, no one responds to direct emails, pinging them on twitter does nil. Extremely sad.
Perhaps I'm naïve, but the fact this "breach" is being disclosed anonoymously, via a medium commonly associated with nefarious data dumps suggests to me that there really was little consideration paid to allowing Panera an opportunity to correct this situation.
Disclosing this as such was irresponsible, despite being an important discovery.
To bypass the responsible disclosure versus full disclosure debate: I provided them with well over six months of time to fix this and reported it last year. My own data is in this set.
Did you try reaching out to Troy Hunt, by chance? In the event of failed response from the site, I would maybe pass breaches to him, as he seems to be fairly successful at getting responses from breached organizations, and has an effective setup for notifying those breached.
Whilst that does appear to have had the desired effect in this case, I do hope to never find ourselves into the position where "responsible disclosure" includes "consulted with Troy Hunt" as a step.
How so? Is allowing a company a chance to patch a bug a responsibility that random people have to a company? What do those people get in return? Some companies will go as far as accusing the reporter of hacking them.
I might even go as far to say that if companies expect to be told of bugs and not have the information released to the wild, they will be less concerned with security because they can always patch the bugs as they come and perform the smallest disclosure they know of. Such an idea of 'responsible disclosure' may lead to less security overall.
Perhaps the responsible thing is reporting the breach to the public because they are the ones most hurt by it, so they can take immediate corrective actions.
It's also possible that Panera would prosecute you for hacking their systems, if they were able to identify you. Better to be safe and disclose anonomyously.
It was given 6 months of lead time, but furthermore no researcher is under any obligation at all to consider corporate profits when releasing their research
Given the number of times well-meaning do-gooders have been prosecuted or sued after publicly disclosing a breach, I find this approach entirely reasonable.
The caveat, of course, is that the poster should definitely have first attempted to contact Panera. I would not be surprised at all if Panera responded by doing absolutely nothing, which eventually led to this post.
I tried reaching out to them multiple times and was ignored. I tried contacting the firm that developed the app, and they ignored me. Maybe I should have made a pastebin dump :)