On February 22, 2016, while visiting a Smokey Bones restaurant, I uncovered a vulnerability that allows anyone to obtain the name, email address, and date of birth of any Bones Club rewards program member. You can even change a Bones Club members phone number on record with Smokey Bones. And all you need is their phone number.
Anyone can walk into one of the 65+ Smokey Bones restaurants, sit at a table or at the bar, and use any one of the table-top Ziosk units to check their Bones Club points.
One of the methods to lookup your rewards account is to enter your phone number. Once you do this, you are provide with the following nifty screen.
Great, you get to see how many points you have. And some other information is also shown. This includes your first and last name, email address, an additional phone number, and your date of birth.
The problem? You can enter anyones phone number. If they are a Bones Club member, you are presented with all of their info. Yes, all you need is a phone number. I pulled out my phone and looked up some random people who I thought might go to this restaurant. I got a hit on the first try. You can sit at the table in the restaurant and literally keep entering phone numbers until you find something interesting.
Phone numbers are not private and should never be used as a method of authentication. Especially when that's all that is needed to get access to other sensitive information about someone like their email address, other phone numbers, and their DOB (which is personally identifiable information). Oh, and a bonus here is that once you are on this screen you can change the Bones Club members listed phone number. That way you can prevent them from getting to their own rewards account and you might be able to do something more interesting.
I notified Smokey Bones and have exchanged emails with (and spoken multiple times with) their Director of Marketing. I have been informed that a fix for this was rolled out on March 15.
Note that it was somewhat difficult to contact anyone who could help me or understand what I was talking about. These attempts included sending them a note on the issue right from the Ziosk unit at the store, calling them by phone, leaving a message on their web site, calling them again. I did get in touch with someone late on February 24.
It's unclear how long this "feature" has been in place and for how long this exposure has existed. As a Bones Club member myself, I am glad that I provided an incorrect DOB and not my direct mobile phone number, as I usually do in situations where it's not absolutely required. But most people do provide this information when asked for it. And I'm sure they never expected it to be made available to anyone who knows their phone number.
"Smokey Bones will not disclose the information that you provide in connection with your membership in the Bones Club to anyone else, but may use your information and other members’ information internally and externally as part of its marketing research."