Brewdog might make an OK pint but its security sucks: Flaw opened door to free beers for anyone

Plus two failings this week at Apache and Twitch and nostalgia for Flash fans


In brief Hipster beer maker Brewdog has been caught out by a basic, but potentially very expensive, security problem, and the team that discovered it says the Scottish tipple-merchant's response was hardly encouraging.

Research by security shop Pen Test Partners found that the Brewdog mobile app used the same hard-coded API Bearer Token to log in every single customer on their mobiles. This would allow anyone to access and use other people's accounts, including 200,000 "Equity for Punks" shareholders, as well as to snoop on other lower-grade personal information.

"Shareholders get a free beer on the three days before or after their birthday under the terms of the Equity for Punks scheme," the code-testing operation warned. "One would simply access an account with the required date of birth, generate the QR code and the beers are on BrewDog!"

Even when the flaw was identified, Brewdog didn't do well, taking four attempts to try to fix the issues – on one occasion breaking the app itself. The firm still hasn't formally told shareholders about the issue, Pen Test claimed.

"We found no evidence in the logs that the vulnerability was exploited or data exposed," Brewdog said. "We are working with our infrastructure partners to validate this conclusion."

Google has been secretly ordered by the US government to provide information on netizens searching for particular terms – such as a sexual assault victim's name – with so-called keyword warrants, Forbes reported this week. This practice has been going on since at least 2018, in which these warrants were used in an investigation into serial bombings in Austin, Texas.

More fallout from Twitch hack, Bezos doesn't look good

The Amazon-owned streaming service Twitch, which admitted to getting its servers snooped earlier this week, may have bigger problems.

Multiple Twitch users reported that on Friday morning something strange was afoot – a rather unflattering picture of former Amazon CEO Jeff Bezos was being posted as a faint background image on the site's header pages for games. Let's just say it wasn't Jeff's best look.

The images have now been removed, although who knows what else the infiltrators may have done. Twitch had no comment at time of publication.

Hold up Apache users – you're not done patching yet after first flaw fix fails

Earlier this week the Apache Software Foundation released patches for a couple of HTTP Web Server vulnerabilities. Now one of those fixes needs fixing.

"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives," the bug report states.

"If files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution."

Only the Apache 2.4.49 and 2.4.50 builds are affected, but it's better to patch now rather than wait for this issue to be exploited.

US cracks the whip on cryptocurrency and crime with new enforcement team

The US government is to set up a new task force, the National Cryptocurrency Enforcement Team, with the aim of cracking down on cryptocurrency criminals.

"The Criminal Division is already an established leader in investigating and prosecuting the criminal misuse of cryptocurrency," said US Assistant Attorney General Kenneth Polite.

"The creation of this team will build on this leadership by combining and coordinating expertise across the Division in this continuously evolving field to investigate and prosecute the fraudulent misuse, illegal laundering, and other criminal activities involving cryptocurrencies."

As we saw in the Colonial Pipeline ransomware attack, the Feds have become more adept at clawing back money extorted by crims who cripple computers. The new task force also wants to go after folks who use cryptocurrencies to evade taxes and to pay for illegal goods like hacking tools, drugs and guns.

It's 2021 and malware merchants are still fixated on Flash

Ah, some things never change - Adobe's Flash is still toxic to security, judging from a new Android virus alert.

The TangleBot malware, spotted by analysts at security biz Proofpoint, is currently being spammed out to people in the US and Canada in the form of SMS messages urging people to make COVID-19 appointments. Click on the link and you'll be asked to download an Adobe Flash update: Do that and it's game over.

Flash hasn't been supported by default on Android since 2012, and was finally killed off on the desktop this January, although it lives on in China. Either this is just very lazy malware coding, or they are banking on people being that stupid. Most likely both. ®

Similar topics


Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • If AI chatbots are sentient, they can be squirrels, too
    Plus: FTC warns against using ML for automatic content moderation, and more

    In Brief No, AI chatbots are not sentient.

    Just as soon as the story on a Google engineer, who blew the whistle on what he claimed was a sentient language model, went viral, multiple publications stepped in to say he's wrong.

    The debate on whether the company's LaMDA chatbot is conscious or has a soul or not isn't a very good one, just because it's too easy to shut down the side that believes it does. Like most large language models, LaMDA has billions of parameters and was trained on text scraped from the internet. The model learns the relationships between words, and which ones are more likely to appear next to each other.

    Continue reading

Biting the hand that feeds IT © 1998–2022