What's inside the QR code menu at this cafe? Let me scan it, what could possibly go wrong?

153°
Heart of Gold
Birla.Veena
Indian startup Dotpe, that raised ~$100M to build point of sale systems for restaurants left their entire API fully public.

A clever hacker found out the most ordered thing at every Social in India.

And did a prank to order what he wanted for a person next to him!

Thread link here.

https://x.com/deedydas/status/18381370826837283...

Here is web archive of hacker

https://web.archive.org/web/20240923081639/http...

What's inside the QR code menu at this cafe?
Let me scan it, what could possibly go wrong?
Sep 22, 2024
A few days ago, I went to a cafe near my home. I sat down and scanned the QR code on the table. It took me to a website displaying the cafe's menu. It asked me for my name and Whatsapp mobile number. I entered the details and placed the order.

In 5 mins my order arrived at the table. There was no OTP verification, and no one came to confirm the order. Is this what the peak ordering experience looks like?

It was a slow workday, and I thought I might as well open this QR code website on my laptop and have a quick look under the hood. Maybe I should've just made my own coffee and stayed home because I didn't realize I was opening a can of worms.

Type your email...
Subscribe
The QR code directed me to a website that ran on a dotpe.in subdomain. According to Dotpe’s website, they offer a "full stack food stack" for restaurants. The company was founded during the pandemic when contactless dining became popular. Google is one of their investors.

I opened my browser's dev tools to inspect the API requests - they looked OK. A request to get details of the cafe, a request to get all the items on the menu, a request to check if the store is running any promotional offers - just the usual stuff. Then I saw a couple of interesting requests:

/api/morder/suggestion/ongoing/items?storeID=XXXX
/api/morder/suggestion/items/purchase/history?merchantID=YYYY&storeID=XXXX
The first request listed the food items currently ordered at the cafe. The second returned how many times each item was ordered in the past month.

The coffee I had ordered showed up on the list of ongoing items. I looked around the cafe and noticed other food on tables matched items on the list too. This information should be for the cafe's admin staff only, so why can I see it?

The purchase history API provided a count of each food item ordered over the past month. The menu API gave the price of each food item. So I wrote a small script to calculate the cafe's dine-in revenue for the last month.
12 Comments  |  
11 Dimers
  • Sort By
Benevolent Benevolent
Link Copied
Legal notice ? Instead they should reward him for exposing this .
Deal Cadet Deal Cadet
Link Copied

Very interesting read. I'm surprised that API was so easy to read - almost like an insult to any hacker.

Unfortunately we are living in times when there is zero privacy for individuals, zero transparency about stolen data and zero accountability for corps/govt. 

Deal Lieutenant Deal Lieutenant
Link Copied

Revenue of Bellandur Social, Bengaluru is on another level 😷

Deal Cadet Deal Cadet
Link Copied

Crazy ! Never new social is clocking such high revenue.. genius business.. wondering what their spends are..

View 2 more replies
Critic Critic
Link Copied

maybe it was intentional, the restaurant wanted to highlight their best seller item

Comrade Comrade
Link Copied

Looks like

Analyst Analyst
Link Copied

Good and interesting read.

Well, well, well. Imagine the govt. Websites at state and national level. Would someone 🤔?? Yeah! They arrrest and harass if we prove.

Finance Mentor Finance Mentor
Link Copied

There would be many websites/ apps doing these same things, thinking that users won't bother to check the url from app calls. Only experienced or educated devs would protect both ends of the API.

This is why a QC (with tech knowledge) is very much required for even small dev teams.

Deal Subedar Deal Subedar
Link Copied

Am I old? Because I refuse to go to a restaurant with QR code menu. I need a physical menu boss.

replyuser
Click here to reply
Reply