Article Details

Probably not the best security in the world: Carlsberg wristbands spill visitor pics. Researcher shows how anyone can access Copenhagen experience attendees' names, videos. Exclusive The Carlsberg exhibition in Copenhagen offers a bunch of fun activities, like blending your own beer, and the Danish brewer lets you relive those memories by making images available to download after the tour is over. The images, however, are not stored securely. Researchers revealed that anyone could access the names and images belonging to the many hundreds of beer enthusiasts who visit the brewery each month. One of those enthusiasts is Ken Munro, founder of Pen Test Partners, who, after visiting the experience himself, discovered that the codes used to access the images could easily be brute-forced. In a report shared with The Register ahead of publication, Munro said that exhibition patrons input their wristband ID into the company's website, and they are then taken to the images snapped of them that day, which can be downloaded. The Carlsberg Experience wristbands (Ken Munro/Pen Test Partners) The format of these wristband IDs, which expire after 30 days, allowed for 26 million possible combinations, and Munro knew he could generate these easily using only a laptop. Armed with what he called a "broad" vulnerability disclosure policy for the brewer, he got to work seeing how much data he could access. Using Burp Suite, he deduced that the wristband IDs were converted into a hex string, which, when passed into Carlsberg's website, returned the corresponding visitor's images. "Whilst sticking to the terms of the VDP, I was able to brute force 1 million wristband IDs in around two hours," said Munro. "It would be possible to gain access to all the valid wristband IDs in around 52 hours from one laptop. "From the sample of 1 million, I validated around 500 wristband IDs, so multiplying that by 26 means that there are around 13,000 people who use the interactive elements at the Carlsberg exhibition every 30 days, assuming all the letters are used." Downloading visitors' images taken at the Carlsberg Experience (Ken Munro/Pen Test Partners) The researcher said he was able to access the names, images, and videos of exhibition attendees, noting that this kind of information should be protected under GDPR, although it is not the most salacious of leaks you'll see here at The Register. Difficult disclosure Munro's visit to Copenhagen took place in August. Days later, he submitted his vulnerability report to Carlsberg via Zerocopter on August 19. Despite Carlsberg promising to evaluate the report within ten working days, as well as providing regular progress updates, the company did not respond until November 11, according to the researcher's timeline of events. This was the first and only time Munro heard from Carlsberg about the issue he reported nearly three months prior. In its response, Carlsberg said it addressed the matter by applying rate limitations, and asked Munro to retest. He did just that, found that wristband IDs could still be brute-forced, and reported the same to Carlsberg, which to date has not responded to Munro. The company also did not respond to The Register's request for more information. "In December, I asked Zerocopter again about the disclosure part of the disclosure policy, but they said that a client 'is in their rights to take their time' and that I should 'please be a bit more patient,'" Munro said. "I think my patience has been exemplary, Zerocopter. The problem is that clients can easily avoid public disclosure by avoiding communication. That's not how to do responsible disclosure. That's not how to do IT security." The issue remains exploitable, Munro told The Register, and as for the rate limiting, it "doesn't seem to have been applied effectively – either they didn't put it on the API, or just didn't implement it."