SpartanNash Yes! Rewards Mobile Application Vulnerability Exposing Private Customer Information

SpartanNash, formerly Spartan Stores, is a food distributor and grocery store retailer headquartered in Byron Center, Michigan. Some of the popular grocery store chains they own include: D&W Fresh Market, Family Fare, VG’s Grocery, and Glens Markets.

They offer a loyalty program called Yes! Rewards, which allows customers to receive everyday savings, digital coupons, free and low cost prescriptions, and savings on fuel.

My buddy Adam Logue assisted in finding and disclosing the vulnerability with me. We discovered the vulnerability after digging deeper into the iOS and Android applications to see how they worked. Using Burp Suite, we intercepted the requests being made from the app.

We discovered the unid was just a unique id number for each account and we found it vulnerable to an insecure direct object reference. To test this, I logged in to my Yes! Rewards account and intercepted the request, swapping my unid with Adam’s.

When we sent the request to the Burp Repeater, we found this response:

 

 

Below is a python proof of concept that demonstrates enumeration of personal information. The applications have been patched and this code will no longer work.

 

This script could essentially could dump the information for all of the customers letting a malicious attacker gain access to personally identifiable information.

Other vulnerabilities discovered in this application worth mentioning included the ability to clip coupons for other customers, add and remove other customers from Yes! Rewards clubs, and view transaction details from other customers. On the Android application, we also had the ability to edit customer profile information. Many of these vulnerabilities were the result of insecure direct object references discovered by substituting another persons rewards card number. All of the vulnerabilities discovered have been patched.

Disclosure Timeline

10/14/2015: Vulnerability Discovered

10/15/2015: Contacted SpartanNash customer service in attempt to make contact with the proper individuals.

10/16/2015: Received call back from Rob Hoffman and Darryl Grimes, emailed vulnerability information, including PoC.

10/22/2015: Received follow up email asking to discuss the fix further. iOS and Android application updates were pushed to the App Store and Play Store.

10/24/2015: Conference call with Rob Hoffman and Darryl Grimes from SpartanNash discussing the patch.

10/25/2015: Fix Confirmed

A special thanks goes out to Rob Hoffman and Darryl Grimes with SpartanNash for fast communication and quickly patching the vulnerability. They were a pleasure to work with. Also to Adam Logue for assisting with the finding, PoC, and disclosure.