Originally Posted at FMShooter – Authored by Catboy
[Guest Post] Catboy is a conservative zoomer in his early twenties with years of experience in software engineering, application+network security, and product design. He currently works in financial tech in New York City.
Let’s start with the big reveal, if you have ever had an account with Black Rifle Coffee Company, or have ever placed an order with them, your personal information is at risk. This does NOT include passwords and payment data (to my knowledge).
The Black Rifle Coffee Company is once again getting headlines over its treatment of Kyle Rittenhouse, the 17-year-old hero who shot two criminals (one of whom being a serial child rapist) dead and took a bicep off another. BRCC’s CEO, Evan Hafer, liked a Tweet calling Rittenhouse a “LARPer,” a “punk ass,” and “a wannabe douchebag.” He called those protecting their private property from rioters “repugnant.” He has also been caught donating to Act Blue, and Barack Obama:
As Black Rifle Coffee blocks conservatives, it's important to understand that CEO @EvanHafer hired ActBlue Dem donors to run his IT and social media. pic.twitter.com/XfncLVYN1e
— John – Pinochet Aviation Academy Grad – Cardillo (@johncardillo) July 19, 2021
Whenever a company pulls something like this, I like to take a quick look at their network infrastructure and security, in hopes that I get to write a blog post like this. As a summary, in case you don’t want to read the entire in-depth analysis of their network:
- All BRCC customer data has been breached, excluding passwords (handled by Shopify) and payment data (handled by stripe)
- You can login as any BRCC customer without their password. You can edit profiles, place orders, and edit subscriptions just by knowing their email.
- You can brute force customer emails using an internal API for looking up orders. This also includes (partial) payment data, tracking numbers, and more identifiers
- You are able to see every time an employee discount is used, without logging in.
- You could fuck with their custom Shopify integrations, but this probably won’t do much
- Other unsolved discoveries include
- Figuring out other internal BRCC tools (*.apps.blackriflecoffee.com)
- Some potential querying endpoint: https://data.blackriflecoffee.com/
- Some potential querying endpoint: https://apps.customers.blackriflecoffee.com/
- B2B sales platform: https://dealer.blackriflecoffee.com
Usually, this kind of exploit would be reported through HackerOne, or another kind of bug bounty program. This kind of program would report the exploit to the company directly so they could fix it before a blog post about it is published, and would award a cash prize to whoever found the bug. However, as BRCC didn’t give Kyle a chance for his case to be heard before damning him, we, in turn, are not waiting to divulge this exploit or go through any responsible disclosure process. Call it karma.
A Warning
🛑 Do not perform these steps yourself unless you are well-versed in keeping your online identity secure. These are provided for security researchers to explore, and are for educational purposes only. These tutorials assume basic knowledge of application development. For anyone else, just look at the pictures.
A Prerequisite
🛑 Do not use information retrieved via the exploits to steal BRCC’s customer data. Their customers are not at fault here.
A Big Update
After completing this article, I took a look into the BRCC mobile application, not expecting to find anything. To my surprise, they embedded their Shopify admin keys inside their public mobile application, so if you have the mobile app installed, admin access to Black Rifle Coffee exists on your device.
These keys cannot be used to edit their customer-facing website unfortunately, but they can be used to create/edit/delete orders, subscriptions, and customers. Also note the Stripe keys here are not sensitive and are usually included in frontend applications. They are the exception. I redacted the ReCharge keys as too much of them were exposed in the screenshot.
Also embedded are keys to their subscription platform, RechargeApps, an old (?) notification platform, Shopistry, and a custom application for push notifications, located at https://black-rifle-coffee.herokuapp.com. Each of these require more investigation.
The Exploits
1. Login as Any Customer
This one is so easy to perform that it is incredible it has not been found before.
- Send a POST request to https://account.blackriflecoffee.com/login with a JSON body consisting of `{“email”: “[email protected]”}`
- You will receive a URL as a response.
- (optional) – This URL contains a Shopify Multipass token, exchange that multipass token for a regular Shopify access token using the Shopify REST API.
- (optional) – on account.blackriflecoffee.com, set your `shopify_customerToken` cookie to be the regular Shopify access tokenYou now have access to any user’s account.blackriflecoffee.com account.
- Click the URL
- You will now be in a hidden internal BRCC tool with the user’s profile pulled up. You can make any edits you would like.
From here, you can edit profiles, place orders, edit subscriptions, edit addresses. Free coffee, I guess? Their coffee is kinda shit though, so this is mostly for fun.
2. See Detailed Customer Data
- Send a GET request to one of the following, replacing the email in the URL with any BRCC customer:
- https://account.blackriflecoffee.com/api/loyalty/customer/[email protected]
- https://account.blackriflecoffee.com/api/subscription/customer/email/[email protected]
3. See Detailed Order Data
- Send a GET request to https://account.blackriflecoffee.com/api/order/2760367571053. It may take a few tries to generate valid order IDs, but you can write a program to do this automatically.
4. Get a Bunch of Valid Order IDs
For some context, there are a bunch of internal tools BRCC uses to communicate between Shopify and their own systems. One such tool is located at https://apps.empdiscount.blackriflecoffee.com/. Note that this might give you an “Unauthorized” error, but you can quickly get around that by adding a `?` to the URL to fake a query parameter. So https://apps.empdiscount.blackriflecoffee.com/?. Lol.
Here you can get the details of anyone who has ever used an employee discount code. It’s in a UI so no instructions needed.
5. Fuck Around
There are a bunch of other internal apps like the employee discount one. They don’t do anything special, but I’m sure it breaks something, somewhere:
- https://apps.inventory.blackriflecoffee.com/?
- https://apps.inventory.blackriflecoffee.com/?
- https://apps.ghfulfillment.blackriflecoffee.com/?
- https://apps.fulfillment.blackriflecoffee.com/?
- https://apps.stickerclub.blackriflecoffee.com/?
- Note: This one used to contain a log of every customer, but it seems to have been removed as of writing
There are others, but there isn’t a traditional UI attached to them so they will need further investigation by others who have time on their hands
Conclusion
Seems to me that Evan Hafer and the rest of BRCC should spend less time attacking minors on Twitter, and more time ensuring their customers are safe while shopping for their sub-par coffee.
Personally, I prefer https://stockingmillcoffee.com/ (https://twitter.com/smcroasters)
If you’re a security researcher who has found something else related to BRCC, feel free to reach out, and we’ll update this article and credit appropriately.
Editor’s note: Black Rifle Coffee Company should be extremely thankful that Catboy has the goodness in his heart not to abuse their very visible exploits in their website and payments processing, instead choosing to publicly share his findings via a blog post. A worse human being would have extracted all possible data and sold it to the highest bidder. A slightly less worse human being would have changed every customer’s name before mass placing orders to all of them indicating their true feelings for BRCC and Evan Hafer:
If BRCC had just spent less time and money commenting on politically charged court cases and contributing to political super PACS, they may have had the resources to develop a customer-facing website that wasn’t a complete security-riddled piece of shit, and Catboy would never have been able to write this post at all. This blog may not have much reach, but if Hafer or any BRCC employees ever get a chance to view this post, they should take it as a humbling experience and a learning lesson to not piss all over your customer base. More likely, he will cry like a pansy, and blame “the Drumpftards” for daring to take a cursory look at his disdain for not only his customers, but his customer security.
Hahaha
I may have forwarded this article to some unsavory types that like to screw around
4chan has it
On it
Is there even anything over there but bots?
Yes Ken,they had/have a lot of info. on many matters/didn’t give a fuck released it ect.
The latest was the dick who drove thru X-mas parade,way before police/media releases and more truthful.
The folks on 4 chan are a bit insane/autistic ect.but they do good work at times also!
Or this:
https://www.theblaze.com/news/82-year-old-motorist-out-to-pick-up-a-turkey-ahead-of-thanksgiving-gets-surrounded-severely-beaten-by-atv-gang-numbering-between-30-and-40-riders
Why can’t coffee companies just sell coffee?
Why can’t Chik-Fil-A just sell sandwiches and waffle fries?
Actually they do.
They also tell people we ought to wash the feet of zigaboos.
Re: feature not a bug
My thoughts, exactly, A.P.
The whole saga of this company appears to have been an op from the start.
These guys were outed as tools a good while back. Bunch of lefties who laugh at all the clingers buying up their swill. It serves America right though, only a self absorbed population would spend enough on a freaking cup of coffee to propel a company like Starbucks into Fortune 500dom. Ironic that I sometimes buy Chock Full O’ Nuts, it’s an apt description of our collective condition.
Costco’s hazelnut coffee beans …. ROCK !
CostCo … a subsidiary of the Chinese Communist party.
Do you perhaps mean COSCO which is a big shipping company?
Everybody I know who goes to Costco is a commie, if you ask me. Of course, my definition of commie is pretty expansive.
Silly me. I guess you grow your own.
I am a fan of their Colombian Supremo whole bean. Around $6 a pound which is incredibly cheap.
(((lefties)))
I hear ya brah…the Southern Baptist Convention and none other than Pope Francis.
No, they’re literally jewish.
I hear ya brah…
Here’s a tip. Buy green coffee beans wholesale or if you want in small lots on ebay. I get 100+ pounds organic(Easier on my old stomach) and on propane burner outside with a stainless frying pan from the thrift store and a collander,
I cook up my own. About 1 weeks worth at a time. Youtube has many videos about this. The prices have risen recently but several years ago I figured I saved 1800 dollars a year. Less now but oh well. A pound or two of fresh “roasted” coffee also makes a nice gift. It’s the only drug I take and I take a lot….except for Jim Beam and beer and wine ,but those aren’t drugs. So cut out the pusher and do your own.
Here’s a tip. Walk into Walmart with Your AK and shoot every manager on duty and walk out with all the coffee on the shelf … Great Value Coffee currently at $9.84 for a three pound can.
I think you are pushing the envelope a bit. Wanna trade some coffee for some bullets?
Whadda bout Maxwell House?
Get a free tin can to save your bent nails in.
I did, but I sold them at the scrap yard.
I get 8 oz of instant coffee at Aldi for $2.75. And I don’t even wear a mask. I’m bad company – til the day I die.
You are obviously not a coffee connoisseur. Aldi’s does have decent coffee beans among other things.
https://www.youtube.com/watch?v=t7vPjic5sRE
Instant coffee … now that’s livin’
Take a half a teaspoon of the instant coffee and put it in your cheek…that’s an instant rush
I used to order my green beans from Brazil (a Cerrado bean) and am running low on a 100 pound bag bought a couple years ago. I thought I was well stocked.
I cook mine outside until first crack, then bring them in to finish roasting. I love the way it makes the house smell.
Hi Ghost, I use Royal Coffee in Seattle and pick it up at warehouse. Cooking your own is satisfying for several reasons and the biggest is thrift. I am surprised how few people realize this. Quality too.
Who actually gives a Fuck about another LYIN’ Ass Mutherfuckin’ Fascist/Corporatist and the drama they generate, when we have actual MutherFuckin’ Commies holding America hostage and working night and day to destroy traditional America and the republic?!!!???!!??!?
Seems to me the average American has much larger troubles looming than anything posed by Black Rifle Coffee, which is SO OVERPRICED to begin with that only an IDIOT would consider buying it.
Yea … that’s right. Worry about a site that only a select few might use, when the top issues of the day, like Open Borders, Covid Vaccine Mandates, Trillions of Dollars of Economy Destroying Stimulus, Inflation, Strangled Energy Supply and a Broken Supply Chain will soon have the entire nation on its knees, if we don’t stop these goddamned anti-American, red, radical, Democratic Party Communist Rat Bastards of the Biden regime pretty damned soon.
~ Tobin Frost
This is why.
Thanksgiving should be interesting at your house. I would give the speech to my wife’s idiot Prog relatives but PRAISE GOD we aren’t going there. Her brother’s concubine is an ignorant, arrogant MSNBC watching bitch.
Oh, look, it’s the “Commie-Nazis are the REAL problem” moron.
If you don’t know that entire cabals of marxist-maoist crony-capitalist fascists spread through all levels of the federal government and many state govts too, then the only IDIOT and MORON in the room IS YOU.
Its been well documented that Black Lives Matter and Antifa, who acted on the marching orders of the Democratic Party as its foot soldiers in the streets, in America received millions in funding directly from the People’s Liberation Army and the Chinese Communist Party.
Both groups are communist to the core, and both have the support of Joe Biden and virtually every single Democrat in the House and the Senate. So tell me again how the communists and the Corporate Fascists at the highest levels of Corporate America running mass surveillance on all America aren’t THE REAL PROBLEM, when they are doing the bidding of Biden and Marx Inc and subverting, dismantling and destroying the republic at breakneck speed.
You goddamned DUMB MUTHERFUCKER.
If you can’t identify your enemy, you aren’t a serious person.
And you can’t. You appear to have absolutely no idea who your enemy is at all.
This makes you either someone too stupid to have a meaningful opinion, or an incompetent disinformation agent.
Call them whatever You wish. They hold to the ideas of tyranny found in each of these LEFTIST ideologies and they seek to end liberty in America. Whatever name they go by, the Democratic Party, CAIR, the New Black Panthers, Antifa, BLM, Pueblos Sin Fronteras, Open Society or LaRaza ect, they stand against the principles of freedom and liberty, national sovereignty and the private ownership of property. And if You don’t know THAT’S A REAL PROBLEM, YOU REALLY ARE A MORON.
I don’t give a good goddamned what name they go by. If they aim to oppress me and mine and end my freedom and liberty, then one way or another, at the right time and in the right place, I aim to lay them dead on the ground. No fuckin’ brag, JUST A GODDAMNED FACT.
Was thinking the same thing, then came to thread and read what you wrote. Glad you did as you are far better at words than me. Thanks
Whether it’s BRCC or Chic-Fil-A or FNC, Hallmark Channel, or any GOPer pol/think tank claiming to be a “conservative,” one has to be aware of, and be willing to challenge one’s own cognitive dissonance and/or laziness toward delving even a inch below the surface. You wanna resist even a tiny bit against the surveillance Corp-Gov State? Write Moar checks and buy with cash. Don’t buy online via your phone, use Brave browser, Duck-Duck-Go for your search engine, and use a paid VPN for on line activity. Ditch your corporate email (Google, Verizon, ATT, etc). Get a Protonmail or similar email service. A few basic changes in behavior by ‘us’ would have a significant impact. Ain’t gonna happen on a mass scale, but therein lies our problem as a so-called educated, advanced society or even that of our ‘side’. Lack of care or will.
If your posting here, you’re already on someone’s radar.
Oh I’ve been on the radar for a long time. Banned on many sites…Plus I wasn’t a wilting flower when I was within the Belly of the Beast.
One is only on the radar if one is over the target,hence,ones goal should be always over the radar!
An old acquaintance passed away last week who flew Wild Weasels in Vietnam. Two tours in the F-105 Thunderchief. They would fly over AAA sites, often ahead of bombers as decoys and when the radar was turned on they would fire missiles that homed on the radar. Use their “radar”against them.
H+R….Those pilots of the Wild Weasels had balls the size of Gibraltar.
Won’t matter. Microsoft and Apple know everything you do. If you move to Linux, which is your best bet; your ISP spies on you.
Repeat: your ISP spies on you.
Then sells the data AND hands it to .gov without even needing to be asked.
ISP sure, another reason to use a VPN.
Jews are going to Jew. It did not even surprise me how many rubes fell for the Fox News Black Rifle marketing blitz. Just push the right buttons on conservatives or liberals and they will respond like happy little robots.
1-877 Kars for kids. K-A-R-S. Kars for kids.
?
Kars4kids is a donation org who are scam artists. Around my region they played their ads on radio for years. LINK:
https://ecoxplorer.com/2019/12/scam-alert-kars4kids-car-donation-charity/
Any party controlled society demands fealty to the Party Line. This isn’t so complicated, but very hard to break through decades of societal conditioning.
That was like a scene from A Beautiful Mind.
“This is why Whites always need a strong leader to rally them to become cohesive,”
Cue Libertarianism. I gots my rights..Go Galt… Nevermind that Galt is a fiction.
How often right here we see the put downs whenever subordinating ones wants for the greater good come up.
Libertarianism only ends in a dead end.
Man if I owned majority stock in that firm that CEO would be out the door!
Most excellent reasoning.
Rittenhouse *was* a LARPer. So were his “victims”. Crisis actors. No one died
Get a clue morons. Quit falling for psyops
See Amazing Polly’s videos on The Wellness Company. The people who run it and how the alt media people affiliates were duped. Of corruption the won’t admit it it cuz they’re making money.