
Massive Breach in Panera Bread - pnrabrdthrwy
https://pastebin.com/21H28TA1
======
deft
A similar flaw exists in the Denny's Canada app. Reveals usernames, email,
full name and phone number. The API is entirely unauthenticated and account
hijacking is very easy. The app is used for reward points that grant you free
meals.

I tried reaching out to them multiple times and was ignored. I tried
contacting the firm that developed the app, and they ignored me. Maybe I
should have made a pastebin dump :)

~~~
papagg
You should post your method. I could scrape it for data if you want

~~~
deft
Would rather not. I've made scripts that take all the data possible, I'll
probably post a dump and repro instructions some time later.

~~~
stevekemp
Might be worth getting in touch with Troy Hunt, over at
[https://haveibeenpwned.com/](https://haveibeenpwned.com/)

------
d4mi3n
API seems to be down for maintenance. Nice to see Panera is taking action, sad
to hear that this seems to be way, way after the original vulnerability was
reported.

------
dsl
Verified the vulnerability, but it looks like they have taken down the API
now.

Hopefully they will publicly acknowledge.

~~~
CiPHPerCoder
I anticipated this and made archived copies of the hyperlink referenced in the
Pastebin entry in case they tried to pretend there was no leak.

[https://www.webcitation.org/6yNwbyvu0](https://www.webcitation.org/6yNwbyvu0)

[https://archive.fo/h9mjp](https://archive.fo/h9mjp)

------
jclardy
There whole system seemed a bit odd to me, given a password to your "account"
is optional. Using the terminal you can login with no password, then at the
end it asks you if you want to save your credit card to your account. Maybe it
requires a password at that point, but I wasn't going to try.

~~~
CiPHPerCoder
Oh no no no no no please don't tell me that's true D:

------
gtirloni

      Access Denied
      You don't have permission to access "http://www.panerabread.com/" on this server.
      Reference #18.96d8f648.1522702964.2a61eebf
    

The Web Archive can access it just fine though:
[https://web.archive.org/web/20180402210155/https://www.paner...](https://web.archive.org/web/20180402210155/https://www.panerabread.com/en-
us/home.html)

------
dx034
For non-Americans and as their page is down: What kind of accounts do you have
at such a company? I never had an account with a restaurant, why would you use
that and store personal information there?

~~~
stevula
I’m American but I have made accounts with restaurants to order for pickup (or
delivery). It’s especially helpful if you eat in an a busy area with long
lunch lines. It’s also less error prone having the order in written form than
trying to order over the phone. I think most restaurants use a vendor like
Yelp for their ordering service, but I guess some big ones like Panera can
afford to build one themselves (poorly).

------
zcdziura
Oh boy. I just verified this with a few phone numbers of folks that I know
personally, and their personal data came back just fine. This isn't good! I
hope it's patched ASAP.

------
mxpxrocks10
It's back online and they're verifying sessions now.

------
papagg
Anyone manage to scrape all data? If so please provide a link so it can be
archived for a database search tool.

------
thriftwy
That's exactly what you should do when you see a vulnerability. "Internet"
"businesses" has proven that they don't understand kind words. Take all those
lawsuits, or promises thereof, and _shove_.

Do this until they plead mercy. Are they? No they aren't yet!

------
mr_overalls
Wow, this looks pretty bad.

~~~
pvaldes
If in doubt, put a catputer photo. Cats always look fabulous.

Update: It seems that error-cat has gone now. In resume, anybody could
download a list of all people eating at this restaurants, their telephones,
addresses, pastry preferences and last four numbers of their credit cards. Am
I right? It seems that entering a single telephone they obtain a dozen of
diferent users. Is a sort of wildcard or something?.

Wouldn't be much better to talk with Panera Bread directly?

~~~
ctvo
I'm going to pick on your post a little:

Why would you assume a security researcher who put in that much effort and
kept the pastebin mostly anonymous didn't put in the effort to contact Panera
Bread?

Is there a reason you automatically assume that the security researcher is
irresponsible, but companies, who almost daily, have data breaches, are
responsible in these scenarios?

"Hey, maybe you should contact the company?!" Thank you captain fucking
obvious.

~~~
pvaldes
> Why would you assume...?

Because there is not data that specifies the opposite in the link (and extra
info was lacking when I wrote it), thus is a reasonable and logical first
thing to check.

> Is there a reason you automatically assume that the security researcher is
> irresponsible...?

Please, don't put words in my mouth. I didn't called irresponsible anybody and
I didn't automatically assume anything. To be honest, I couldn't care less
about who, if one, has the responsibility here. I'm trying to learn something.
Not more, not less.

Captain fucking obvious is a nice title. We'll have a safer world when people
start paying notice to a lot of fucking obvious and boring things. This
reminds me a lot to the outrageous lexNET case (that was much, much, worse
than internet knowing who has a sweet tooth for buns).

------
mxpxrocks10
Verified this is legit.

------
bt3
Perhaps I'm naïve, but the fact this "breach" is being disclosed anonoymously,
via a medium commonly associated with nefarious data dumps suggests to me that
there really was little consideration paid to allowing Panera an opportunity
to correct this situation.

Disclosing this as such was irresponsible, despite being an important
discovery.

~~~
CobrastanJorji
Given the number of times well-meaning do-gooders have been prosecuted or sued
after publicly disclosing a breach, I find this approach entirely reasonable.

The caveat, of course, is that the poster should definitely have first
attempted to contact Panera. I would not be surprised at all if Panera
responded by doing absolutely nothing, which eventually led to this post.

~~~
thriftwy
If you contacted them, you just opened yourself to potential persecution, even
if it would not be you who actually pastebined it later.

Not even once.

