Overview
On
February 22, 2016, while visiting a Smokey Bones restaurant, I uncovered a
vulnerability that allows anyone to obtain the name, email address, and
date of birth of any Bones Club rewards program member. You can even change a
Bones Club members phone number on record with Smokey Bones. And all you need
is their phone number.
Details
Anyone
can walk into one of the 65+ Smokey Bones restaurants, sit at a table or at the
bar, and use any one of the table-top Ziosk units to check
their Bones Club points.
One of
the methods to lookup your rewards account is to enter your phone number. Once
you do this, you are provide with the following nifty screen.
Great,
you get to see how many points you have. And some other information is also
shown. This includes your first and last name, email address, an additional
phone number, and your date of birth.
The
problem? You can enter anyones phone number. If they are a Bones Club member,
you are presented with all of their info. Yes, all you need is a phone number.
I pulled out my phone and looked up some random people who I thought might go to
this restaurant. I got a hit on the first try. You can sit at the table in the
restaurant and literally keep entering phone numbers until you find
something interesting.
Phone
numbers are not private and should never be used as a method of authentication.
Especially when that's all that is needed to get access to other sensitive
information about someone like their email address, other phone numbers, and
their DOB (which is personally identifiable information). Oh, and a
bonus here is that once you are on this screen you can change the Bones Club
members listed phone number. That way you can prevent them from getting to
their own rewards account and you might be able to do something more
interesting.
Status
I
notified Smokey Bones and have exchanged emails with (and spoken multiple times
with) their Director of Marketing. I have been informed that a fix for this was
rolled out on March 15.
Note
that it was somewhat difficult to contact anyone who could help me or
understand what I was talking about. These attempts included sending them a
note on the issue right from the Ziosk unit at the store, calling them by
phone, leaving a message on their web site, calling them again. I did get in
touch with someone late on February 24.
It's unclear how long this "feature" has been in place and for how long this exposure has existed. As a Bones Club member myself, I am glad that I provided an incorrect DOB and not my direct mobile phone number, as I usually do in situations where it's not absolutely required. But most people do provide this information when asked for it. And I'm sure they never expected it to be made available to anyone who knows their phone number.
This event was obviously contrary to the Smokey
Bones Terms and Conditions and Privacy Policy, which states:
"Smokey Bones will not disclose the information that you
provide in connection with your membership in the Bones Club to
anyone else, but may use your information and other members’ information
internally and externally as part of its marketing research."
