Brewdog might make an OK pint but its security sucks: Flaw opened door to free beers for anyone

Plus two failings this week at Apache and Twitch and nostalgia for Flash fans


In brief Hipster beer maker Brewdog has been caught out by a basic, but potentially very expensive, security problem, and the team that discovered it says the Scottish tipple-merchant's response was hardly encouraging.

Research by security shop Pen Test Partners found that the Brewdog mobile app used the same hard-coded API Bearer Token to log in every single customer on their mobiles. This would allow anyone to access and use other people's accounts, including 200,000 "Equity for Punks" shareholders, as well as to snoop on other lower-grade personal information.

"Shareholders get a free beer on the three days before or after their birthday under the terms of the Equity for Punks scheme," the code-testing operation warned. "One would simply access an account with the required date of birth, generate the QR code and the beers are on BrewDog!"

Even when the flaw was identified, Brewdog didn't do well, taking four attempts to try to fix the issues – on one occasion breaking the app itself. The firm still hasn't formally told shareholders about the issue, Pen Test claimed.

"We found no evidence in the logs that the vulnerability was exploited or data exposed," Brewdog said. "We are working with our infrastructure partners to validate this conclusion."

Google has been secretly ordered by the US government to provide information on netizens searching for particular terms – such as a sexual assault victim's name – with so-called keyword warrants, Forbes reported this week. This practice has been going on since at least 2018, in which these warrants were used in an investigation into serial bombings in Austin, Texas.

More fallout from Twitch hack, Bezos doesn't look good

The Amazon-owned streaming service Twitch, which admitted to getting its servers snooped earlier this week, may have bigger problems.

Multiple Twitch users reported that on Friday morning something strange was afoot – a rather unflattering picture of former Amazon CEO Jeff Bezos was being posted as a faint background image on the site's header pages for games. Let's just say it wasn't Jeff's best look.

The images have now been removed, although who knows what else the infiltrators may have done. Twitch had no comment at time of publication.

Hold up Apache users – you're not done patching yet after first flaw fix fails

Earlier this week the Apache Software Foundation released patches for a couple of HTTP Web Server vulnerabilities. Now one of those fixes needs fixing.

"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives," the bug report states.

"If files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution."

Only the Apache 2.4.49 and 2.4.50 builds are affected, but it's better to patch now rather than wait for this issue to be exploited.

US cracks the whip on cryptocurrency and crime with new enforcement team

The US government is to set up a new task force, the National Cryptocurrency Enforcement Team, with the aim of cracking down on cryptocurrency criminals.

"The Criminal Division is already an established leader in investigating and prosecuting the criminal misuse of cryptocurrency," said US Assistant Attorney General Kenneth Polite.

"The creation of this team will build on this leadership by combining and coordinating expertise across the Division in this continuously evolving field to investigate and prosecute the fraudulent misuse, illegal laundering, and other criminal activities involving cryptocurrencies."

As we saw in the Colonial Pipeline ransomware attack, the Feds have become more adept at clawing back money extorted by crims who cripple computers. The new task force also wants to go after folks who use cryptocurrencies to evade taxes and to pay for illegal goods like hacking tools, drugs and guns.

It's 2021 and malware merchants are still fixated on Flash

Ah, some things never change - Adobe's Flash is still toxic to security, judging from a new Android virus alert.

The TangleBot malware, spotted by analysts at security biz Proofpoint, is currently being spammed out to people in the US and Canada in the form of SMS messages urging people to make COVID-19 appointments. Click on the link and you'll be asked to download an Adobe Flash update: Do that and it's game over.

Flash hasn't been supported by default on Android since 2012, and was finally killed off on the desktop this January, although it lives on in China. Either this is just very lazy malware coding, or they are banking on people being that stupid. Most likely both. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021