P.F. Chang’s Security Flaw revealed, following Panera Bread’s leak

Ax Sharma
Ax Sharma
Apr 9, 2018 · 7 min read
P.F. Chang’s Restaurant

Disclaimer: This article contains a firsthand vulnerability discovery and is intended for educational and security awareness purposes only. Do not attempt to violate any laws in your jurisdiction, or make use of this knowledge for malicious purposes — doing so would be unethical and of course, illegal. I hereby waive any personal responsibility and liability in the form of injury, damage or any consequences arising from your actions, should you get yourself “in trouble” by attempting to do anything unlawful or otherwise. This vulnerability is being disclosed ethically and the timeline can be referred to at the bottom of this article.

Note: The Proof of Concept (PoC) has been constructed by creating “test” accounts for simulating exploitation of the improper access control. Doing so keeps it legal — we are essentially reading from/writing to the accounts we actually (should) have access to, using the member website. This also prevents any other member accounts from being accidentally read, affected or overwritten. A detailed vulnerability disclosure report, embedded as a Google Docs page can be viewed below.


The morning of April 4th, I woke up to news reports of Panera’s Bread security flaw and the possible data exposure it could have caused, as featured on Krebs on Security, Dylan Houlihan’s original post, and numerous other news sites.

Little did I know, merely 2 days after Panera Bread’s public disclosure took place, would I be discovering a similar and equally serious vulnerability on one of my favorite restaurant chains’ website — P.F. Chang’s. They have the best Dali Chicken and Kung Pao entrées, hands down. But you’d think they would have even better security after the 2014 credit card breach.

Their website proves otherwise. I remember not too long ago P.F. Chang’s Rewards website got an appealing redesign. However, there appears to be a serious flaw existing beneath the beautiful, thematic pages of their Rewards website.

The Rewards website uses 2 APIs — a “Conductor” API to retrieve Rewards member records ( https://conductor.pfchangs.com ) and “Soil” API ( https://soil.pfchangs.com ) giving access to restaurant location data and mostly public information. For the purposes of our demonstration, we are only focused on the Conductor API.

For the attack to work, it is sufficient to sign up for a P.F. Chang’s Rewards account using a rogue e-mail account. In my case, I simply used rogue@example.com and variants (e.g. rogue2@example.com, rogue3…etc.) to register for Rewards accounts. Yes, they accepted the email as valid — no email verification needed either. Using the rogue email address, the attacker can sign into the Rewards website and pay close attention to the network API calls being made, along with the content of the HTTP headers.

Two such HTTP headers include authorization and token.
These are apparently the authentication headers giving you access to your Rewards account and the goldmine — the improperly authenticated API.
If you take a closer look at the network requests and the HTTP headers, it appears that a particular API endpoint is called quite frequently, as soon as you are logged in.

https://conductor.pfchangs.com/api/Account/GetCustomerInfo/email_address

Notice the GET parameter being used to identify the user whose information is being requested: it’s their email. Of course, because you are logged in right now, it is displaying, and making use of your (rogue) email address to obtain the JSON record with your information:

https://conductor.pfchangs.com/api/Account/GetCustomerInfo/rogue@example.com

A simple replacement of this email with any other customer’s email will return the personal information of that P.F Chang’s Rewards member.

This information includes:

  • Full Name

Using some digging into public records or data dumps, any skilled attacker may be able to cross-reference C-level executive records with the Rewards website to obtain, at the very least, their personal phone number, birthday, etc.— after all, good chance that the company employees and executives take part in their very own Rewards program too! Personal mobile number of CEO, Michael Osanloo who has used the Rewards program among order details could have been easily obtained too, with some guessing of their email (which was trivial).

At this time, there is no indication that any records contained on the Rewards website were exposed or overwritten by anyone, maliciously — but I simply wouldn’t know the answer to that, only P.F. Chang’s would.

Note: You would still need “token” and “authorization” headers to access the API — which you can obtain from creating a rogue account, however, after that first step the API does not discriminate between whose record is being accessed and if they are the one who is actually logged in.

Workflow

Given below are the steps to reproduce the vulnerability exploit.

  1. Sign up for P.F. Chang’s Rewards program
P.F. Chang’s Rewards Program Sign-Up Dialog Box
Additional details required during Sign-Up

2. Log in to the account and pay attention to the network requests — most notably the resource name ending in your email.

HTTP Request & Response headers, the API endpoint URL and other parameters
Security `token` present in HTTP Response Header

3. Replicate the request with the token and other headers present in the HTTP Request but this time, replace the email present in the API endpoint URL with your victim’s email address (the victim must be a P.F. Chang’s Rewards member)

The request will therefore now have to be sent to:

https://conductor.pfchangs.com/api/Account/GetCustomerInfo/victim@ma.il

4. Relish the information returned.

Payment Method (if available — in all cases, I observed “null” which is good, but remember we only accessed our own test accounts)
Full Name, Address (if available), Phone Number, Loyalty ID #, List of previous orders, etc.
Partial Date of Birth recorded in the ‘AnniversaryDate’ field as 1924/MM/DD. Last Selected Store ID indicating my “preferred” restaurant location

It is vital to note that during this entire process rogue@example.com was logged into the account and yet is able to access **akshay**@**** (my personal account’s) information.

Part 2. Overwriting Arbitrary Member Accounts

Yes, there’s a Part 2 to this…

The API’s Improper Access control also enables one Rewards member to overwrite another arbitrary or targeted Rewards member account’s information with theirs — for example, to claim their rewards when at a restaurant. All one needs to “redeem” the rewards at a restaurant is to use a member’s phone number when signing the check or before placing the order. For this part of the attack to work, one doesn’t even need an email address.
But I’ll leave you with the detailed 14-page report here to dig deeper: https://docs.google.com/document/d/11DtVDXkw0hMn0kQCy8uIANeEnMGn-E3zXEpAFX-3b7I/edit?usp=sharing

Embedded 14-Page Vulnerability Discovery Report

Disclosure Timeline

  1. Apr 4th, 2018: Security flaw is identified incidental to the regular use of P.F. Chang’s Rewards website.

© 2018. Akshay Sharma.

AxDB

Accidental eXposures Database (AxDB) — a publication…

Ax Sharma

Written by

Ax Sharma

Security Engineer | Researcher | Tech Columnist | https://hey.ax

AxDB

AxDB

Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

Ax Sharma

Written by

Ax Sharma

Security Engineer | Researcher | Tech Columnist | https://hey.ax

AxDB

AxDB

Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store