alphaspirit - Fotolia

How did the Panera Bread website expose customers?

Panera Bread website users were put at risk after a security researcher discovered a vulnerability relating to a lack of authentication for their publicly available API endpoint.

Panera's website was found to be exposing customer data in plaintext, which is a serious vulnerability. What issues were behind the leak and what customer data was exposed?

Security researcher Dylan Houlihan discovered that the Panera Bread website enabled unprivileged attackers to easily access customer data through vulnerable endpoints used by the Panera Bread website API. The API endpoints were URLs that, combined with customer numbers, could be used to access Panera customer data and that were implemented without a mechanism to authenticate the users attempting to access them.

To complete the attack, an attacker could enter any customer ID in the API endpoint URL without having to provide authentication credentials to view the customer data. The API did not have a method in place to authenticate requests for customer data, so an API key was not required.

Furthermore, it seems that security wasn't a part of the software development lifecycle when the website was designed, developed and deployed, as algorithms for user authentication at endpoints were excluded from the code, new customer data was entered without user authentication and endpoint vulnerabilities were found after the website was launched for public use.

The designer and developer missed authentication and endpoint security issues that would attract the attention of a programming-savvy security expert; however, these security issues were not caught during the software development lifecycle.

The customer data that was exposed included customer names, email addresses, phone numbers, home addresses and the last four digits of credit cards. To get more data, the attacker could launch penetration campaigns; because Panera generates customer account numbers sequentially, an attacker could use a simple enumeration attack to gather the exposed data for all Panera Bread website customers.

In addition, customer phone numbers obtained from another source, such as Intelius, could be used to look up usernames and email addresses for Panera accounts -- customers are required to provide a phone number when signing up for an account.

Houlihan repeatedly attempted to notify Panera Bread about their insecure website, but changes were not made until he shared his findings with information security journalist Brian Krebs, who ultimately determined that as many as 37 million customer records had been exposed by the flaw.

Although Panera Bread said that they fixed the problem, Houlihan pointed out that the vulnerability that exposed customer data had not been completely removed, even after eight months -- the website has since been secured.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Application and platform security