Do(ug)h! Half-baked security at Panera Bread spills customer data
After eight months of loafing, baguette biz finally rises to security obligations
The website for restaurant chain Panera Bread has made the personal information for customers' online accounts available for takeout since August last year, according to security researcher Dylan Houlihan.
The all-your-can-eat menu on its website offered online account holders' full names, home addresses, email addresses, dietary preferences, usernames, phone numbers, birthdays and the trailing four digits of saved credit cards to anyone able to construct a simple web query.
It's not clear whether anyone took advantage of this moveable data feast – no actual data theft has been alleged – but eight months after initially alerting the bread biz, Houlihan finally managed to get the culinary company to close its data buffet on Monday by publishing evidence of his findings on Pastebin and alerting the media.
Houlihan, tired of being ignored by Panera's security team, posted about Panera's unpalatable security on Medium, alongside screenshots of email correspondence with Panera Bread’s information security director, Mike Gustavison.
"Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months," Houlihan wrote.
Once reports about the issue started to appear, Panera Bread CIO John Meister attempted to minimize the data exposure by telling Fox News fewer than 10,000 accounts were potentially affected.
That figure prompted challenged by independent security reporter Brian Krebs, who put the number initially at 7 million and subsequently revised his estimate to 37 million.
Other security researchers have since chimed in to point out subpar settings affecting other parts of Panera's website.
Fetching millions of accounts via query could be a challenge if Panera used a more secure non-intuitive account numbering scheme.
But Panera implemented the opposite: an easily guessable account numbering scheme by which anyone with basic coding skills could hit the account API endpoint –
https://delivery.panerabread.com/foundation-api/users/uramp/1234567 – and iterate through every database entry.
As the now removed Pastebin post explained, "Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you'd like, up to and including the entire database."
The Register asked Panera Bread for comment but we've not heard back. ®