Fast food chains’ growth has increased by an average of 5.75% in the second quarter of 2023. Covid, the Ukraine-Russia war, and supermarket greediness has tremendously increased the food prices, whereas the fast food prices increase in a much slower pace. This makes it a viable nurturing option for many people, thus increasing the fast food companies’ profits. And I can only assume that some of this profit increase will be invested in the means of production and ways to further increase profits in the long and short term.
When it comes to cybersecurity, one of the biggest fast-food companies, Yum! Brands, was hit with ransomware in 2023. It was even reported that employee data were stolen during this attack.
So you can see that, inspite of the profit gain, cybersecurity is still a threat for damage. Of course, such large companies are hard to manage, security-wise. But did they learn from past mistakes?
KFC Authentication Bypass and API Exposure leaks Millions of Receipts with PII
TLDR:
- Found a “ordering system” web app while look for food-chain related infra on shodan.
- WebApp employed client side checks for authentication, could be easily bypassed by settings a localStorage variable
- Led to discovery of a api endpoint which discloses customer phone number, delivery addresses, and order details.
This is one of those bugs that you can find without ever leaving the browser, it also highlights the importance of enumerating the UI frameworks (React in this case).
We started with a random search for “KFC” on Shodan, while filtering results through countries, we came across an interesting result on AWS Mumbai, a site seemed to be some sort of order management/administration system.
First order of business when dealing with a webapp is to pop open devtools and see what we are dealing with, so thats what we did.
Luckily we had js source maps, so we didn’t have to read through uglified js code. The imports make it clear that we are dealing with React, the route map gave us a few interesting endpoints to explore.
So we tried visiting /admin directly and were immediately thrown back to the login page. It was time to take a look at that AdminDashComponent the routemap was referring to.
All the adminComponent did in the name of authorization was check if a localStorage item “token” exists, we happily set the token manually to a random value.
We now tried visiting /admin and voila!
The API was too unstable to get all of the results. With some simple trial and error, we found out that the first entries were from October 30, 2021. We observed that there was an average of 5000 orders per day (more on the weekends, but let’s keep it like this.) From the first day, i.e. 30th of October, until the time of writing (November 8th, 2023) 739 days have passed. This leads to appr. 3.695.000 receipts. Of course, not all of them contain PII. PII could be observed only in delivery receipts, where home addresses, phone numbers, and names were printed out.
Also, when examining the receipts, we came across some interesting delivery addresses and orders, such as a military station.
Disclosure
Both vulnerabilities were reported around the same time through responsibledisclosure.com. We have waited for 90 days to pass, in the hope for both vulnerabilities to be patched.
UPDATE: As of December 2023, both vulnerabilities seem fixed!