What's inside the QR code menu at this cafe?

> I would have thought about privately disclosing these findings to Dotpe. But all the API requests are right there in plain sight...

There are pretty common ethical standards about disclosing vulnerabilities privately before disclosing them publicly. I don't see how the obviousness of the vulnerability changes the situation. By warning the company, you give them the opportunity to remedy the problem before announcing to the world that anyone with a laptop can exploit it. Probably they were just hoping that nobody would notice, which is stupid of course, but now they don't have the chance to build up a better wall before the flood of fake orders that could cause real harm to the small businesses whose financial information you disclosed online.

Perhaps I'm being too optimistic about how the company would respond, but I still think it's hard to justify not doing a private disclosure.

> Is this what the peak ordering experience looks like?

Call me old-fashioned, but to me the peak experience is a paper menu to choose from, and a waiter that patiently takes the order. Far prefer that to everyone at the table fiddling on their phones in some weird-ass website or even god forbid custom app.

Not to be a party pooper, but posting detailed financial analysis of the exact sales data of a multi-million dollar business using numbers obtained through an obviously overlooked backdoor seems like a very bad idea. Haven't people have gone to jail for less? (iirc "but it was an insecure API" has not held up in court in the past)

On a more positive note, I've used a QR menu recently and it really is a game changer. Scanned a code, pressed a few buttons, and my food was there in minutes! Looking forward to seeing it more often, especially in places where you're not looking for stellar service.

From technical standpoint, I find the details interesting. However, this irresponsible disclosure of vulnerability troubles me. I am guessing that last year, Indian government has passed the bill of PDPA (https://www.meity.gov.in/writereaddata/files/Digital%20Perso...) if I am not mistaken. Even though irresponsible disclosure of vulnerability is not explicitly mentioned in this Act, but I am pretty sure that such irresponsible disclosure are enough for the author to land into trouble.

Leaving PDPA aside, as a Software professional I find this act kiddy and unethical. 10 years back I found a major vulnerability bug in an major multinational bank where I was able to see monthly statements of any person. I reported this to the bank and they took approx 1 year to fix that. I did not even mention about this bug to my friends or my CV till it was fixed.

I am confused, they didn't contact the company at all and just disclose this publicly? Very immature handling of a vulnerability finding.

I found similar vulnerability in Bus State transport facility of government, where you can get list of everyone who did reservation online.

You can get their gender, age, name, mobile number.

I simply reported it to their website's support email and state cyber cell.

This was 7 years ago, that vulnerability still exists.

I like to scan the "specialized" bar/QR codes I come across in my daily life in case they're not just URLs. Sometimes I find some interesting stuff and possibly some opportunities for mild exploits.

The other day I was at burger king. They allow you to refill your drink as many times as you like within 60 minutes of purchasing it, and the way this restriction is implemented is by having you scan a QR code they print on your receipt at the drink machine. I scanned the QR code with Binary Eye (android app that reads all sorts of barcodes, highly recommended). It contained some numbers I couldn't immediately recognize as interesting, a timestamp in a format similar to 202409231049, and a UUID.

Now, the UUID is probably the ID of the order in their internal system, so the question is: does the drink machine only read the timestamp or does it also use the UUID to query the internal system to re-validate it? Can you craft a QR code with the same data but change the timestamp to achieve for infinite refills?

A guy went to prison for doing this with AT&Ts public subscriber data. The media didn't do him a favor by calling it a hack.

reminds me of this Aussie cleaning company's website that forced you to create an account to take an order.

With a couple of clicks on the web app, you'd encounter a bug... and then you can see every single person's orders, email, and personal addresses. And it was my partner who discovered it (she was struggling to order service through the website bc it kept failing).

Oh and they also never charged us for service despite multiple emails asking them how we should pay (somehow we were able to order service through the site but never paid?)

Clearly they're not a serious company...

Author seems to have taken the post down ... in response to a legal notice from the platform

source: https://x.com/prstb/status/1838179660959465596

Original blog post, archived copy: https://web.archive.org/web/20240923091701/https://peabee.su...

Now, that went rogue quite fast and easily. I still find it confusing when some dev opt for the "let's not think about security, tokens, POST requests and whatever".

I am sure some companies using that service will ask for more closed doors before everyone can lookup their revenues. That's one big example of a non technical vulnerability based on a 101 technical principle.

I know that Indian companies might not have a bug bounty program but you should get paid for finding such a big vulnerability And their CTO should take some blame for this.

On the other hand, I agree with other comments that posting the whole financials of a company does not seem like a good idea

PS: I really like your writing style. Subscribed your newsletter

The api is still up and they still haven't done anything to remedy this. Like, that should be your first priority, first send an email to your customers apologizing for this and then start working on it.

Yikes.

As one commenter on X(itter) said that the only way this company will think about fixing this is when another competitor who will gather all their customer's details and send emails to them to migrate to their service if they don't want their precious data to leak.

Looks like the article was deleted and purged from archive.org. I wonder if anyone saved a copy elsewhere?

From the comments it seems likely the author realized they may have accidentally committed a crime or at least done something that could cause real legal consequences for them and quickly destroyed the evidence. That's probably better than leaving it up but I'd wager it wouldn't protect them from any legal consequences publishing the article already made possible.

Nice find!

There's a problematic but not critical personal information leak, a mild business intelligence leak and that's about it.

> They could keep this script running for months, even years, creating awkward scenes and uncomfortable conversations at every restaurant across the country.

If that's about the worst thing you can actively do, then it's only about the data leak.

> Next time you're at a restaurant that makes you scan a QR code and enter your mobile number to order, I want you to remember that random strangers on the internet are looking over your shoulder and watching what you're eating.

Isn’t this just sample size one? In other systems this information can be passed securely and not leaked later.

> This doesn’t feel like an oversight, it's either a deliberate design decision or they just don't care.

Having a complete lack of any authentication and sequential IDs does seem like a design decision.

Why was this blog removed?

I was waiting for a "I disclosed the vulnerability and this is how they reacted" story arc but there wasn't one. Pretty disappointed OP went this route. The golden rule is to always disclose the issue and wait for them to fix it before you publish. The only exception to this rule is if the company isn't acknowledging, responding, or communicating in any way. In that case you'd wait around three months, send a follow-up email warning them you'll publicly disclose the vulnerability, wait another three months, and then publish it.

404 / Not Found. Looks like someone got to OP.

Anyone have a cached copy?

this is fun because i can confidently say, "bureaucracy" runs on adverts. Whatever flashy, big banner photo op you can find, people lap that up. why? because of the immense population of india. EVERYTHING works here.

You can spend countless hours trying to break your application, finding holes but who cares.

Police cares about financial fraud. Did someone clickbait you into swindling money from you? well they will pounce on it because they will extract their cut from all involved and it gives them nice PR on the daily newspaper.

PII fraud or vulnerability, eh well. whose gonna notice? we have enough on our plates.

second thing. whatever government is doing, they protect themselves at all costs. they WILL throw you under the bus if it protects their interests.

why? because of the massive population, jobs are scarce, people get college degrees and stuff to pad up their resumes because employers, govt or private REQUIRE documentary evidence you did something. doesn't matter your skills,y ou have the papers or not.

this dotpe company, whatever its doing is indicative of the systemic problems in india. You have lots of people, lots of smart people, lots of dumb people and in the long run, bigger, cheaper, faster. that's all that matters

> I checked on my laptop what other tables were ordering to get a quick vibe check of the place. I could've just looked around, but it felt cooler to do it on the laptop.

I think it would be great if you could go to a restaurant and they had this data available. Sure, some menus say "best seller!" but I don't believe them all the time. And tastes change, chefs, etc.

This is offline now. Can anyone do a recap of what was revealed without, without actually revealing whatever bad things were revealed.

Well, this certainly is an interesting case of the abuse of servers to abuse servers. It’s almost teaching recursion.

Please no one write that random script… f*king up high cash flow but ultimately usually pretty low margin businesses like these, while also pushing the poor staff around in a way that costs them time and very likely wages is really, really, really bad karma.

Next up: "How I became a millionaire by consulting restaurants on Menu items and targeted Text Message Ads" ...

Seriously, its a PII leak and it should be reported. And since you said Google is an investor someone (theoretically) should care.

Who says there was no security, indeed there was security by obscurity!

The other day I used one of these "order with QR" things for the first time. I ordered nachos and they brought me a fish! Curse you peabee!

A glaring example of how convenience can often come at the expense of privacy and security

A zero-click exploit targetting big tech web engines (blink|geeko/webkit).

> Armed with my two-week free trial of Cursor IDE,

Makes this blog post sound like an advert for whatever this product is.

Maybe the next big app for AI is to analyze web pages and scrub this crap out of otherwise decent articles.

My man’s got a legal notice out against him

It returns "Page not found"

404 Not Found

Author has removed the article.

From the title, I thought this was going to be about a very big QR code (presumably with a comically long URL).

Page not found?

finally someone woke up and secured

Scummy article to be honest. Also good reminder to not fill in your phone number online, ever.