back to article Brewdog might make an OK pint but its security sucks: Flaw opened door to free beers for anyone

Hipster beer maker Brewdog has been caught out by a basic, but potentially very expensive, security problem, and the team that discovered it says the Scottish tipple-merchant's response was hardly encouraging. Research by security shop Pen Test Partners found that the Brewdog mobile app used the same hard-coded API Bearer …

  1. adam 40
    Pint

    Every mobile phone has a birthday

    I used this trick with Marston's - every email account has a birthday....

    Happy hours all round!

    1. devin3782
      FAIL

      Re: Every mobile phone has a birthday

      They must be using the same developers, welcome to amateur hour.

      1. Admiral Grace Hopper
        Pint

        Re: Every mobile phone has a birthday

        It's beer, so at least it's Happy Amateur Hour.

      2. Clausewitz 4.0
        Devil

        Re: Every mobile phone has a birthday

        Maybe it is just a long time coded Phishing kit with outdated templates, but still kinda of works or they wouldn't be using it.

      3. Anonymous Coward
        Anonymous Coward

        Re: Every mobile phone has a birthday

        @devin3782

        Have an upvote for the Sparks reference

    2. Anonymous Coward
      Pint

      Re: Every mobile phone has a birthday

      Finally a hack I can cheer for.

      Too bad I live across the pond. Cheers anyway.

    3. Anonymous Coward
      Anonymous Coward

      Re: Every mobile phone has a birthday

      So if you have your own domain, can you just create 1210@mydomain.com, 1310@mydomain.com, 1410@mydomain.com, ...

    4. Old Tom
      Pint

      Re: Every mobile phone has a birthday

      Although not the best, you probably got a reasonable pint in a Marston house whereas although Brew Dog might make reasonable beer, they insist on serving it fizzy and over-chilled.

  2. Clausewitz 4.0
    Devil

    US cracks the whip on cryptocurrency

    Good hard job! We all hope they achieve the same level of success of their other current task forces.

  3. jollyboyspecial

    Standard Response

    "We found no evidence in the logs that the vulnerability was exploited or data exposed,"

    For which you can read: "We made absolutely no attempt to find out if the vulnerability was exploited or data exposed"

  4. JDPower666

    "Either this is just very lazy malware coding, or they are banking on people being that stupid. Most likely both"

    You say that like they should be targetting smart people who won't fall for it? The whole point of a successful scam is to target those not smart (or technologically literate) enough to know better. I mean, my mum doesn't even know what Flash is, let alone that it's been killed off. So a Flash update scam is likely to be just as successful as it always was for a few years yet.

    1. DS999 Silver badge

      Yeah they could say "click this for a required update to iOS" on Android and it would probably do as well. Windows has trained two generations of computer users to just click "OK" whenever anything asks to be updated, so most don't even read what it says.

      They haven't had to change offering a "flash" update because they still work in 2021!

      1. ronkee

        Computers shipped requiring downloading updates from different places with different installers?

        This is the long tail of poor security practises years ago and a broken user experience.

    2. Captain Badmouth
      Happy

      I mean, my mum doesn't even know what Flash is

      Not even for the kitchen floor?

      1. JDPower666
        Trollface

        Re: I mean, my mum doesn't even know what Flash is

        No, she's a dirty cow.

  5. Anonymous Coward
    Anonymous Coward

    Paid adverts?

    That’s two stories in two days featuring ‘Pen Test Partners’. Are they paying The Register for these adverts?

    1. Martin Summers

      Re: Paid adverts?

      They're reporting valid and interesting news from them. I very much doubt they are being paid. El Reg are very clear when their sponsored stories are sponsored. Why so salty about it?

  6. DrXym

    Not the first time

    About 5 years ago I had an app for a popular stout where each week it would give you a free pint to drink in any one of about 50 local bars - to claim the pint, say what bar you were in and show the code to the barman. It had some minimal security in it - the code was unique to the bar, and the screen with the code had a timestamp and a countdown timer.

    But it was easy to circumvent. The easiest way was just to grab every old phone / tablet in the cupboard, install the app on each of them and bring them all out for the evening. At each bar, pull out a device and use up the code, rinse and repeat. Switch bars after drinks.

    But then they made an update to the app where it became even easier - all you had to do was wipe the app cache and the free pint flag was reset and we could just take a single phone each. Literally just claim a pint, wipe the cache, claim a pint, wipe the cache. Repeat until inebriated

    I swear we didn't buy a single drink for months.

  7. Aristotles slow and dimwitted horse

    Re : Brewdog might make an OK pint

    Alternatively though you could say that they produce weak and overly fragrant cats-piss which only catches the eye due to overly shiny marketing to people that wouldn't know a good beer if it bit them in the arse.

    Just sayin'... YMMV of course.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like