Exclusive The Carlsberg exhibition in Copenhagen offers a bunch of fun activities, like blending your own beer, and the Danish brewer lets you relive those memories by making images available to download after the tour is over.
The images, however, are not stored securely. Researchers revealed that anyone could access the names and images belonging to the many hundreds of beer enthusiasts who visit the brewery each month.
One of those enthusiasts is Alan Monie, of Pen Test Partners, who, after visiting the experience himself, discovered that the codes used to access the images could easily be brute-forced.
In a report shared with The Register ahead of publication, Monie said that exhibition patrons input their wristband ID into the company's website, and they are then taken to the images snapped of them that day, which can be downloaded.
The Carlsberg Experience wristbands (Pen Test Partners)
The format of these wristband IDs, which expire after 30 days, allowed for 26 million possible combinations, and Monie knew he could generate these easily using only a laptop.
Armed with what he called a "broad" vulnerability disclosure policy for the brewer, he got to work seeing how much data he could access.
Using Burp Suite, he deduced that the wristband IDs were converted into a hex string, which, when passed into Carlsberg's website, returned the corresponding visitor's images.
"Whilst sticking to the terms of the VDP, I was able to brute force 1 million wristband IDs in around two hours," said Monie. "It would be possible to gain access to all the valid wristband IDs in around 52 hours from one laptop.
"From the sample of 1 million, I validated around 500 wristband IDs, so multiplying that by 26 means that there are around 13,000 people who use the interactive elements at the Carlsberg exhibition every 30 days, assuming all the letters are used."
Downloading visitors' images taken at the Carlsberg Experience (Pen Test Partners)
The researcher said he was able to access the names, images, and videos of exhibition attendees, noting that this kind of information should be protected under GDPR, although it is not the most salacious of leaks you'll see here at The Register.
Monie's visit to Copenhagen took place in August. Days later, he submitted his vulnerability report to Carlsberg via Zerocopter on August 19.
Despite Carlsberg promising to evaluate the report within ten working days, as well as providing regular progress updates, the company did not respond until November 11, according to the researcher's timeline of events.
This was the first and only time Monie heard from Carlsberg about the issue he reported nearly three months prior. In its response, Carlsberg said it addressed the matter by applying rate limitations, and asked Monie to retest.
He did just that, found that wristband IDs could still be brute-forced, and reported the same to Carlsberg, which to date has not responded to Monie. The company also did not respond to The Register's request for more information.
"In December, I asked Zerocopter again about the disclosure part of the disclosure policy, but they said that a client 'is in their rights to take their time' and that I should 'please be a bit more patient,'" Monie said.
"I think my patience has been exemplary, Zerocopter. The problem is that clients can easily avoid public disclosure by avoiding communication. That's not how to do responsible disclosure. That's not how to do IT security."
The issue remains exploitable, Monie told The Register, and as for the rate limiting, it "doesn't seem to have been applied effectively – either they didn't put it on the API, or just didn't implement it." ®
Source: The register