> I would have thought about privately disclosing these findings to Dotpe. But all the API requests are right there in plain sight...
There are pretty common ethical standards about disclosing vulnerabilities privately before disclosing them publicly. I don't see how the obviousness of the vulnerability changes the situation. By warning the company, you give them the opportunity to remedy the problem before announcing to the world that anyone with a laptop can exploit it. Probably they were just hoping that nobody would notice, which is stupid of course, but now they don't have the chance to build up a better wall before the flood of fake orders that could cause real harm to the small businesses whose financial information you disclosed online.
Perhaps I'm being too optimistic about how the company would respond, but I still think it's hard to justify not doing a private disclosure.
> At that scale, it would take years to get fixed without forcing it like this.
But it also might not take years. The point of responsible disclosure is to give them the opportunity. If they don't take it, fine - that's now on them.
Instead this guy is committing fraud with actual financial damages (wasted food) and then sharing how others can commit the same fraud on a massive scale, potentially causing more damage. This is now on him and Dotpe, not Dotpe alone.
In this case? Nope. This must be treated as willful design decision to open up API to entire public (including PII/phone-number leak as per design), even if they say they totally didn't meant that to happen. Government itself should then be notified to go after these guys for failing to do the most basic access controls.
I mean, come on! To treat this as a proper security vulnerability just gives too much leeway for these fast-and-loose businesses/systems. It will just encourage more such crap to proliferate.
I am with the author on this one, I am fairly certain the issue of this was raised internally already, probably multiple times. Fortunately for the business, their management did the right decision - focus on quick and easy features, security is a non-issue, we will just blame the hackers and have legal channels deal with them. I mean, you even have people here berating someone uncovering gross negligence for Google-backed company. Why would businesses bother with basic security when they can play the victim so damn easy?
Author is in India, I would be very careful because it's much more likely the government will prosecute them for unauthorised access and irresponsible disclosure than do anything to the company.
Truth is even in the west this kind of irresponsible disclosure could land you in jail, much more so in a developing country where these laws are all relatively new.
The API being unauthd is clearly a core design choice, and finding out any customer or service data is openly accessible with consecutive numbers through that API is not a zero day or something.
There is no "responsible disclosure" to be made here, going to the company and explaining what's the issue with all of this amounts to "handing out free consulting" if anything
> Is this what the peak ordering experience looks like?
Call me old-fashioned, but to me the peak experience is a paper menu to choose from, and a waiter that patiently takes the order. Far prefer that to everyone at the table fiddling on their phones in some weird-ass website or even god forbid custom app.
My main beef with these menus is that I can't see the entire menu on my phone screen, and end up scrolling up and down multiple times before I can decide what I want to order. With a paper menu my eyes can flick up and down much faster. It's like trying to edit spreadsheets on a phone - technically possible but a real pain in the arse.
Reminds me of how some people mocked me for having O'Reilly and such massive reference books when I started learning Python and Ruby. "But everything's online!" they claimed. Sure, but nothing's faster than browsing the index for what you're looking for and then skimming the section you're interested in, as opposed to going back and forth StackOverflow threads and random blogs.
Currently renovating my house and I again bought 400+ pages reference books of plumbing and electricity, largely sparring me the need to endure endless YouTube videos littered with skits, sponsorships etc. Just straight to the point, factual information.
At least the screen is only touced by you. My peril are the touch screen ordering places (practically all fast food places nowadays) where based on their outlook hygienically challanged persons swipe their fingers up and down for long before you have a chance following them. There is an icecream place opened nearby I had no chance trying because they only have touchscreen order. Guys at the till only serve icecream and all orders must go through the touch screen. They put the icecream into a cone - if you dared to ordered so - and put into the fingers of the customer who just swiped the same finger over a screen swiped by dozens of unknow people before. Oi!
I find it absolutely annoying that our phones with amazing pixel density limit the max zoom out for some reason. If I want 5x8 font on my 1080p phone screen why not let me?
For me peak worse is tables where you get dealt with a single iPad, even when visiting with six people. Which you then get to pass along. And then the 'tech experts' take care of ordering for those who don't get computers, like many elderly folks.
Many people like being able to see what they are ordering. I've seen people order by pointing to pictures on Yelp instead of using the paper menu. Online menus with pictures of every dish are desired by plenty of customers.
The invention of color photography, and large and small format color printing, make it unnecessary for the whole thing to be online. You can have pictures without all the issues of online - like small, low-resolution screens (relative to paper all screens are low-res screens), and being coerced to give away personal data.
> pictures of every dish are desired by plenty of customers.
I'd expect my waiter to look rather puzzled if I asked for a picture of my food, and also perhaps be politely remined that I am not in a fast food outlet.
There's a whole industry of food photography and even creating durable fake food to sit on the counter to advertise dishes. Seeing is believing .. and advertising. Can also convey more detail about what's in something and how much you get.
I have a soft spot for cafeteria-style "point to order" systems myself, especially when there's a language barrier. But that does impose a certain industrial feel on an establishment.
Some restaurants in my city use a middle-ground solution: there's a tablet on each table (running Android, of course) on which you can order and pay (but that part is full of dark patterns, unfortunately). But you also still get a paper menu. And paper menus with pictures are great.
I’m not sure if this could be considered “peak”. The ratio of waiting staff to customers is an obvious bottleneck.
This inefficiency is simply accepted and not even really thought about, it’s just the way things are. But one thing I can say for this tech is it fixed it and the difference is noticeable.
inefficiency? It's part of the experience. I'm not in a restaurant or café to drink as fast as possible. I'm there to socialize as well. Waiting a bit is not a bottleneck, but a feature. (If I wanted speed, I'd take the drive-through).
The experience is as, if not more, important than the result for most things. Leave that for assembly lines (and even that is debatable)
If you want peak efficiency order caffeine powder from Amazon and snort it, it's going to be much cheaper and much more efficient than going to a coffee shop
- you are ordering food and drinks, speed is not essentials, if you're in a hurry you don't sit down in a diner/restaurant
- you assume that everything on the menu is perfectly clear, but what exactly is that thing with the mysterious name? (for example peri peri fries means nothing to me) you can ask to a person, not to a PDF
- you really want X but you have food allergies or some other dietary restriction, again you can ask that to staff, not to a web site
- most importantly, you're assuming that waiting is generally considered an inefficiency, that should be addressed or fixed and that should be the goal of every place serving food and beverages, while it usually is the moment were people sit and relax and have a little chat, it is called lunch break for a reason, isn't it? It's the generalization of XKCD #303.
p.s. in my experience in places that use QR code menus orders are not served faster, actually the opposite is often true.
Much like how widening the I-405 does not improve Los Angeles's legendary traffic jams, slabnus do not improve the bottleneck.
Namely, restaurants who move to slabnus simply get rid of the waiters who would have taken the order. You're left with even fewer waiters serving food and drinks, let alone taking orders.
The coup de grace is I don't even get a discount for the degraded service.
Note: Slabnu because I'm pecking at a slab of silicon instead of a proper menu.
In Japan, many chains are using tablets for their menu, and you can order through that. That's much better than having to pull whatever from a QR code.
Yep but many many more have handwritten menus in kanji on the walls, I can read many kanjis by now and I'm still pretty swamped by trying to interpret every shop's different handwriting.
At least once you start decoding the drink section (much more consistent) then you can go back and try to interpret the rest.
This might be the best of both worlds.
The advantages of digital ordering for both customers and restaurants are:
- staff can keep the menu up to date, basically realtime (they have to do it tho)
- orders can directly land in the kitchen instead of through the waiting staff, which may or may not be coming
- payment can also be done thst way
Of course there are more advantages for the restaurants that may or may not go counter to the interests (or rights!) of their customers. E.g. the ability to easily build profiles and sell that data to the highest bidder.
There are downsides too:
- digital menus can fail more easily than paper menus
- congrats you are a waiter, and now IT-support as well
- customers without phones, no/sucky internet or devices that fail to display the menu are out of luck, so you have to provide offline alternatives/own devices that need their own maintenance
- options that are not in the menu and fields that are not offered cannot be filled, e.g. can be a problem if you are allergic rtc.
- unpersonal. Most people prefer not having to jump through hoops.
Using a tablet that is provided by the restaurant can aleviate many (but not all) of these issues.
Also in Japan, many restaurants have a vending machine you order from and pay at, then you get a ticket that you hand to the kitchen staff, who make your meal. They have been doing this for a long time.
I Japan, with their obsession about cleanliness, I can imagine that those tablets are thorougly wiped between each customer. But not in other countries.
Even worse are the restaurants who require one table to be all ordered on one phone ... so one lemon ends up effectively being the waiter for the table and doing the ordering for everyone. Ask me how I know.
That is always the worst experience. The most painful apps always require you to spend another 7 minutes after installation; typing in and verifying your credit card information... That has to be the most convoluted paying experience.
I was almost shocked when I rented a Hertz car (via IKEA), that everything was done through a website. The website asked for permission to use the phone camera to take pictures of the car etc. and off we went. Such a good experience compared to fiddling with a new app..
The best implementation of QR code menu I've seen was as followed. There was a paper menu but could also order from QR. It was a well designed page to choose from, but the wait staff was still there and took order. We had the option to order from QR if we wanted. When they entered our order, the page (linked to our table through custom QR code) updated with our order. We could add items at any point or we could "call our wait staff" who would then come to our table. At any point we could just pay our bill and walk away. It was the same feeling of using an uber for the first time and just walking out of the car and not worrying about paying the driver.
Will call you old fashioned for that. I recently went to a restaurant with a large group of friends and they used toast tab for online ordering. The experience was much better than ordering in person. Each family was able to order and pay for themselves. We could add extra items to our order whenever we wanted.
Without the app I would've had to keep an eye for a roaming waiter, call them out and then place an order. This takes away from the dining experience. I also don't like to wait for the server to clear plates, take the card, swipe it and get it back. The old fashioned ways will disappear for good.
One of the restuarant chains mentioned in the author's post (Social), is an extremely crowded pub during the night and for the rest of the time, a place where freelancers or remote workers come in to work and socialize. At least that was the case in Bengaluru,India before Covid.
I would say that from the restuarant's point of view, having the order-from-app experience works out since the freelancers can order via their laptops whenever they want, without having to flag down a waiter. And during rush hours, tables could order what they want without having to spot and call a waiter among a very drunk dancing crowd.
Same here. I am even reluctant scanning any QR code and taking me to random web pages connecting my phone - and since phone is an extremely personal device, pratically an ID, so myself - to that place and time. I am not a fan of being traced, surveillanced more than avoidable, especially not fan of triggering it myslef. Giving away additional dat on myself on top of that. No thank you. And this is before considering the system exploiting the vulnerabilities of my device, insted of the other way around shown in the writing. I left a place because of their QR code primary order system. Waiters came around taking order the old fasioned way, but only in the gaps of serving the QR orders. No thank you.
Some apps are brilliant though - Wetherspoon pubs in the UK (despite not at all being the height of dining) have an app that works really well, I don't think I've ordered at a person there for at least 5 years.
A good server is an emissary from the kitchen, who knows the menu, and helps you find the best dishes. A great server establishes rapport with the regulars, anticipates their needs, makes them feel welcome and comfortable.
Unfortunately "server" is not considered a respectable career but something you put up with before your film career takes off, or how you pay your college tuition for that juicy psychiatric nurse degree.
So nobody can be paid enough, or retained long enough, to care about customers or the food. So 25 years from now, the best server will be a Roomba with a prominent QR on its back.
As a fully capable person I can't stand being waited on. For me the peak ordering experience is I choose an item from some written menu with prices on it, ask for said item and pay exactly the price written on the menu. Then I either take item immediately or come to collect it later to take it to the table myself.
When I want to leave I just get up and go without the stupid ask to know how much I need to pay then ask again to actually pay with expectation that I pay more than what was asked like it's my choice to pay but really it isn't.
Completely agree. And it also allows opportunities for customization. Custom paper, cutting, presentation etc. Whereas on the phone, it's usually just a PDF or some responsive website.
A real waiter also allows for a human connection to be created. Experienced waiters (rather than part timers) can really help you make an order, give you recommendations etc. which makes the experience of dining out much nicer.
I have been to restaurants where they bring you a tablet that you keep at your table. It has the menu and everything on it. You order what you want from it, food or drinks, at any time and a waiter brings it to you.
I found the experience better than ordering from a waiter and better than using your own phone.
I've told that chains in China have now replaced this last bit "a waiter brings it" by a little robot.
Unfortunately the implementation that most Western countries took is pretty terrible. One of the highlights for me in China is the lack of menus in restaurants, I can still ask the staff questions if there are any but its nice being able to order add-ons throughout the meal without having to wave someone down.
You're right, you are old-fashioned. I love order by phone. Any amount of time I'm sitting at a table trying to get a waiter to notice me and come by just feels like agony. Let me tell you exactly what I want, exactly when I want it.
Completely agree. I'll tolerate PDF menus if it's a really good restaurant, chances are I already know what I want anyway. If they ask me to install apps on my phone I walk out.
Ah yes the peak experience is having to wait 10 minutes and catch an extremely busy person's attention just so you can order.
Most of these ordering systems (at least the ones that have survived COVID) are pretty good websites now. I don't remember ever having to use a custom app. It's a far superior experience.
(Oh yeah and I guess you may be American and have a very different eating experience to the rest of the world where waiters don't live off the arbitrary generosity of customers.)
Not to be a party pooper, but posting detailed financial analysis of the exact sales data of a multi-million dollar business using numbers obtained through an obviously overlooked backdoor seems like a very bad idea. Haven't people have gone to jail for less? (iirc "but it was an insecure API" has not held up in court in the past)
On a more positive note, I've used a QR menu recently and it really is a game changer. Scanned a code, pressed a few buttons, and my food was there in minutes! Looking forward to seeing it more often, especially in places where you're not looking for stellar service.
I'm interested to know what the correct way to report this would have been? Specifically in this case. And what would one expect after reporting it? I've found many things like this and I only reported two (Genius, they said thanks) and Amazon (they replied but ultimately ignored it, and the issue is still there today)
First thing I would do is look for a security.txt file or search to see if they operate some kind of bug bounty. Failing that, I would browse their website or search for contact details (or even just a contact form). WHOIS can be useful for this. Ideally you'd want some kind of security contact, or a technical contact, but other times you have to make do with the general contact email/form.
In this specific case, they have a general email address at the bottom of their privacy policy, so that's what I'd use.
I'd send them an email along the lines of "I found a security issue with your website; how would you like me to report it to you?". Then they'll hopefully put me in touch with the right person.
In terms of what I'd expect… If they operate a bug bounty (which they don't in this case) then I'd expect what's on offer. If not, it would depend. I often don't expect anything. There have been businesses I've disclosed security vulnerabilities to that are shady enough that I've refused the reward they offered. Sometimes I don't want anything to do with them.
> Looking forward to seeing it more often, especially in places where you're not looking for stellar service.
I loathe them perhaps even more than I loathe the order-kiosks that McDonald's has rolled out. My phone is smaller than the folded napkin, I would rather not have to scroll to examine a menu.
Regardless, a restaurant should think twice about outsourcing this kind of thing to a 3rd party that now has all of your (and your competitors) financials. Even if the API is better vetted, why would you trust this faceless, profit-motivated site with your data?
"Convenience" seems to be the way they market "getting rid of employees" these days — from self-service gas, self-checkout lanes, etc.
From technical standpoint, I find the details interesting. However, this irresponsible disclosure of vulnerability troubles me. I am guessing that last year, Indian government has passed the bill of PDPA (https://www.meity.gov.in/writereaddata/files/Digital%20Perso...) if I am not mistaken. Even though irresponsible disclosure of vulnerability is not explicitly mentioned in this Act, but I am pretty sure that such irresponsible disclosure are enough for the author to land into trouble.
Leaving PDPA aside, as a Software professional I find this act kiddy and unethical. 10 years back I found a major vulnerability bug in an major multinational bank where I was able to see monthly statements of any person. I reported this to the bank and they took approx 1 year to fix that. I did not even mention about this bug to my friends or my CV till it was fixed.
Understandable in this case. But if the playground is of a developed nation (like US, Canada, Singapore, etc.) then unlikely that kids would be playing.
In India, personal data is not yet taken seriously with both educated and un-educated people. It would take some time but I believe this realisation will come over time in people.
And to add that he tried out the exploit on unknowing participants. It would be better to try this with a friend in-the-know at a separate table. It makes me think he did it more as a practical joke than testing his exploit, especially because he mentioned they were "not-too-intimidating-looking guys".
I'll admit it is a bit funny and the damage caused is tiny(just the price of the food). However, things like this do harm the reputation of bug-bounty hunters.
He could have just tried it on his own table (order on the phone, and then on the laptop through the vulnerability) and avoid having to a) bother others, b) waste food. The result would have been the same.
The author says "I refuse to believe they’re unaware of this. This doesn’t feel like an oversight, it's either a deliberate design decision or they just don't care." Agree that this is an uncharitable way of looking at it.
If you discovered an incompetent healthcare provider was prescribing antibiotics for every condition would you "contact them privately" or contact the relevant authorities?
Private disclosure is for when you believe the company cares about security but made a genuine mistake. For the company in the OP it would be more like free education in fundamental privacy and ethics. They're not entitled to that. Name and shame.
Sure, but what you’re describing is not what is being suggested. Responsible disclosure typically involves disclosing publicly after a reasonable period of time.
Who says it was? Why would they willingly give out their customers' and customers' customers data to any anonymous person or a bot?
More likely a bad oversight
Yes! You as a user are not meant to knowingly access data that does not belong to you. Even something like changing the id from 1 to 2 is legally considered unauthorised access.
It would be different if for example the application was showing data for other customers through normal use of it, but even if there is no other barrier to access than changing an id that is considered bypassing access control and can result in jail time in most places. Now I'm not an expert in India's computer misuse laws but I am willing to wager they are not the most progressive when it comes to this kind of thing.
Most likely the company will blame them for trying to help. Also, if the company is so incompetent that they allow this why bother. He's not getting paid to be their test engineer.
This is why security researchers (threaten to) release this kind of information publicly. Reporting security issues doesn't fix anything until other people learn the details.
I like to scan the "specialized" bar/QR codes I come across in my daily life in case they're not just URLs. Sometimes I find some interesting stuff and possibly some opportunities for mild exploits.
The other day I was at burger king. They allow you to refill your drink as many times as you like within 60 minutes of purchasing it, and the way this restriction is implemented is by having you scan a QR code they print on your receipt at the drink machine. I scanned the QR code with Binary Eye (android app that reads all sorts of barcodes, highly recommended). It contained some numbers I couldn't immediately recognize as interesting, a timestamp in a format similar to 202409231049, and a UUID.
Now, the UUID is probably the ID of the order in their internal system, so the question is: does the drink machine only read the timestamp or does it also use the UUID to query the internal system to re-validate it? Can you craft a QR code with the same data but change the timestamp to achieve for infinite refills?
>Can you craft a QR code with the same data but change the timestamp to achieve for infinite refills?
I'm hoping nobody is this naive to let your client have mission critical info to implement something as crucial as giving a discount or refills in your case. It would be just be an extra column in your db table, the only identifier available to the user should be just the UUID, along with some identifier.
I don't think this is that critical; if you stay there long enough and regularly go to refill your drink or come back the next day and make a beeline for the drink machine I think the staff would notice something's off.
Readit News
There are pretty common ethical standards about disclosing vulnerabilities privately before disclosing them publicly. I don't see how the obviousness of the vulnerability changes the situation. By warning the company, you give them the opportunity to remedy the problem before announcing to the world that anyone with a laptop can exploit it. Probably they were just hoping that nobody would notice, which is stupid of course, but now they don't have the chance to build up a better wall before the flood of fake orders that could cause real harm to the small businesses whose financial information you disclosed online.
Perhaps I'm being too optimistic about how the company would respond, but I still think it's hard to justify not doing a private disclosure.
Pissing off the company, whose systems you accessed without authorization, is one way of getting to experience the full force of the justice system.
How is this, specifically, fraud?
At that scale, it would take years to get fixed without forcing it like this.
It's too small for them to care about the liability of security and too large to move quickly
But it also might not take years. The point of responsible disclosure is to give them the opportunity. If they don't take it, fine - that's now on them.
Instead this guy is committing fraud with actual financial damages (wasted food) and then sharing how others can commit the same fraud on a massive scale, potentially causing more damage. This is now on him and Dotpe, not Dotpe alone.
But in responsible disclosure you usually give a 90 day notice period before publicly disclosing and "forcing" them.
I mean, come on! To treat this as a proper security vulnerability just gives too much leeway for these fast-and-loose businesses/systems. It will just encourage more such crap to proliferate.
I am with the author on this one, I am fairly certain the issue of this was raised internally already, probably multiple times. Fortunately for the business, their management did the right decision - focus on quick and easy features, security is a non-issue, we will just blame the hackers and have legal channels deal with them. I mean, you even have people here berating someone uncovering gross negligence for Google-backed company. Why would businesses bother with basic security when they can play the victim so damn easy?
Truth is even in the west this kind of irresponsible disclosure could land you in jail, much more so in a developing country where these laws are all relatively new.
The API being unauthd is clearly a core design choice, and finding out any customer or service data is openly accessible with consecutive numbers through that API is not a zero day or something.
There is no "responsible disclosure" to be made here, going to the company and explaining what's the issue with all of this amounts to "handing out free consulting" if anything
We shouldn't limit ourselves to only be responsible and disclose properly when the vulnerability suits us.
That is both unfair and irrational.
Call me old-fashioned, but to me the peak experience is a paper menu to choose from, and a waiter that patiently takes the order. Far prefer that to everyone at the table fiddling on their phones in some weird-ass website or even god forbid custom app.
Then you find out all the items you looked at aren't available when the waiter stares blankly at you about your order.
Turns out the dinner menu requires horizontal scrolling on the page to find.
If a restaurant has a QR-code menu, I ask for a physical one.
If they don't have a physical one, I walk out.
I've done that many, many, many times.
The invention of color photography, and large and small format color printing, make it unnecessary for the whole thing to be online. You can have pictures without all the issues of online - like small, low-resolution screens (relative to paper all screens are low-res screens), and being coerced to give away personal data.
I'd expect my waiter to look rather puzzled if I asked for a picture of my food, and also perhaps be politely remined that I am not in a fast food outlet.
I have a soft spot for cafeteria-style "point to order" systems myself, especially when there's a language barrier. But that does impose a certain industrial feel on an establishment.
This inefficiency is simply accepted and not even really thought about, it’s just the way things are. But one thing I can say for this tech is it fixed it and the difference is noticeable.
The experience is as, if not more, important than the result for most things. Leave that for assembly lines (and even that is debatable)
If you want peak efficiency order caffeine powder from Amazon and snort it, it's going to be much cheaper and much more efficient than going to a coffee shop
- you are ordering food and drinks, speed is not essentials, if you're in a hurry you don't sit down in a diner/restaurant
- you assume that everything on the menu is perfectly clear, but what exactly is that thing with the mysterious name? (for example peri peri fries means nothing to me) you can ask to a person, not to a PDF
- you really want X but you have food allergies or some other dietary restriction, again you can ask that to staff, not to a web site
- most importantly, you're assuming that waiting is generally considered an inefficiency, that should be addressed or fixed and that should be the goal of every place serving food and beverages, while it usually is the moment were people sit and relax and have a little chat, it is called lunch break for a reason, isn't it? It's the generalization of XKCD #303.
p.s. in my experience in places that use QR code menus orders are not served faster, actually the opposite is often true.
Namely, restaurants who move to slabnus simply get rid of the waiters who would have taken the order. You're left with even fewer waiters serving food and drinks, let alone taking orders.
The coup de grace is I don't even get a discount for the degraded service.
Note: Slabnu because I'm pecking at a slab of silicon instead of a proper menu.
At least once you start decoding the drink section (much more consistent) then you can go back and try to interpret the rest.
- staff can keep the menu up to date, basically realtime (they have to do it tho)
- orders can directly land in the kitchen instead of through the waiting staff, which may or may not be coming
- payment can also be done thst way
Of course there are more advantages for the restaurants that may or may not go counter to the interests (or rights!) of their customers. E.g. the ability to easily build profiles and sell that data to the highest bidder.
There are downsides too:
- digital menus can fail more easily than paper menus
- congrats you are a waiter, and now IT-support as well
- customers without phones, no/sucky internet or devices that fail to display the menu are out of luck, so you have to provide offline alternatives/own devices that need their own maintenance
- options that are not in the menu and fields that are not offered cannot be filled, e.g. can be a problem if you are allergic rtc.
- unpersonal. Most people prefer not having to jump through hoops.
Using a tablet that is provided by the restaurant can aleviate many (but not all) of these issues.
Even worse are the restaurants who require one table to be all ordered on one phone ... so one lemon ends up effectively being the waiter for the table and doing the ordering for everyone. Ask me how I know.
That is always the worst experience. The most painful apps always require you to spend another 7 minutes after installation; typing in and verifying your credit card information... That has to be the most convoluted paying experience.
I was almost shocked when I rented a Hertz car (via IKEA), that everything was done through a website. The website asked for permission to use the phone camera to take pictures of the car etc. and off we went. Such a good experience compared to fiddling with a new app..
Without the app I would've had to keep an eye for a roaming waiter, call them out and then place an order. This takes away from the dining experience. I also don't like to wait for the server to clear plates, take the card, swipe it and get it back. The old fashioned ways will disappear for good.
I would say that from the restuarant's point of view, having the order-from-app experience works out since the freelancers can order via their laptops whenever they want, without having to flag down a waiter. And during rush hours, tables could order what they want without having to spot and call a waiter among a very drunk dancing crowd.
Unfortunately "server" is not considered a respectable career but something you put up with before your film career takes off, or how you pay your college tuition for that juicy psychiatric nurse degree.
So nobody can be paid enough, or retained long enough, to care about customers or the food. So 25 years from now, the best server will be a Roomba with a prominent QR on its back.
In the USA maybe.
I can assure you, being a waiter is taken quite seriously by much of the civilised world. A good waiter is an important part of the dining experience.
When I want to leave I just get up and go without the stupid ask to know how much I need to pay then ask again to actually pay with expectation that I pay more than what was asked like it's my choice to pay but really it isn't.
A real waiter also allows for a human connection to be created. Experienced waiters (rather than part timers) can really help you make an order, give you recommendations etc. which makes the experience of dining out much nicer.
I found the experience better than ordering from a waiter and better than using your own phone.
I've told that chains in China have now replaced this last bit "a waiter brings it" by a little robot.
"There's something special about having a wire attached to your phone."
"There's something special about greeting a lift operator."
"There's something special about hand-washing clothes."
Most of these ordering systems (at least the ones that have survived COVID) are pretty good websites now. I don't remember ever having to use a custom app. It's a far superior experience.
(Oh yeah and I guess you may be American and have a very different eating experience to the rest of the world where waiters don't live off the arbitrary generosity of customers.)
Dead Comment
Ah yes... superiority complex?
On a more positive note, I've used a QR menu recently and it really is a game changer. Scanned a code, pressed a few buttons, and my food was there in minutes! Looking forward to seeing it more often, especially in places where you're not looking for stellar service.
Not sure if you're serious after reading the paragraph where he ordered food for another table ;-)
This is the front door. It's not even open, it's taken off the hinges.
Scratch that, there never was a door in the first place, just a gaping hole right to the street.
In this specific case, they have a general email address at the bottom of their privacy policy, so that's what I'd use.
I'd send them an email along the lines of "I found a security issue with your website; how would you like me to report it to you?". Then they'll hopefully put me in touch with the right person.
In terms of what I'd expect… If they operate a bug bounty (which they don't in this case) then I'd expect what's on offer. If not, it would depend. I often don't expect anything. There have been businesses I've disclosed security vulnerabilities to that are shady enough that I've refused the reward they offered. Sometimes I don't want anything to do with them.
I loathe them perhaps even more than I loathe the order-kiosks that McDonald's has rolled out. My phone is smaller than the folded napkin, I would rather not have to scroll to examine a menu.
Regardless, a restaurant should think twice about outsourcing this kind of thing to a 3rd party that now has all of your (and your competitors) financials. Even if the API is better vetted, why would you trust this faceless, profit-motivated site with your data?
"Convenience" seems to be the way they market "getting rid of employees" these days — from self-service gas, self-checkout lanes, etc.
Leaving PDPA aside, as a Software professional I find this act kiddy and unethical. 10 years back I found a major vulnerability bug in an major multinational bank where I was able to see monthly statements of any person. I reported this to the bank and they took approx 1 year to fix that. I did not even mention about this bug to my friends or my CV till it was fixed.
In India, personal data is not yet taken seriously with both educated and un-educated people. It would take some time but I believe this realisation will come over time in people.
I'll admit it is a bit funny and the damage caused is tiny(just the price of the food). However, things like this do harm the reputation of bug-bounty hunters.
Deleted Comment
Private disclosure is for when you believe the company cares about security but made a genuine mistake. For the company in the OP it would be more like free education in fundamental privacy and ethics. They're not entitled to that. Name and shame.
It would be different if for example the application was showing data for other customers through normal use of it, but even if there is no other barrier to access than changing an id that is considered bypassing access control and can result in jail time in most places. Now I'm not an expert in India's computer misuse laws but I am willing to wager they are not the most progressive when it comes to this kind of thing.
Most likely the company will blame them for trying to help. Also, if the company is so incompetent that they allow this why bother. He's not getting paid to be their test engineer.
You can get their gender, age, name, mobile number.
I simply reported it to their website's support email and state cyber cell.
This was 7 years ago, that vulnerability still exists.
The other day I was at burger king. They allow you to refill your drink as many times as you like within 60 minutes of purchasing it, and the way this restriction is implemented is by having you scan a QR code they print on your receipt at the drink machine. I scanned the QR code with Binary Eye (android app that reads all sorts of barcodes, highly recommended). It contained some numbers I couldn't immediately recognize as interesting, a timestamp in a format similar to 202409231049, and a UUID.
Now, the UUID is probably the ID of the order in their internal system, so the question is: does the drink machine only read the timestamp or does it also use the UUID to query the internal system to re-validate it? Can you craft a QR code with the same data but change the timestamp to achieve for infinite refills?
Well, can you? :). It's the obvious next thing to try, given that Binary Eye is conveniently also a barcode generator, not just a scanner.
I'm hoping nobody is this naive to let your client have mission critical info to implement something as crucial as giving a discount or refills in your case. It would be just be an extra column in your db table, the only identifier available to the user should be just the UUID, along with some identifier.