What's inside the QR code menu at this cafe? Let me scan it, what could possibly go wrong?
- 850
- 13
-
- Last Comment
A clever hacker found out the most ordered thing at every Social in India.
And did a prank to order what he wanted for a person next to him!
Thread link here.
https://x.com/deedydas/status/18381370826837283...
Here is web archive of hacker
https://web.archive.org/web/20240923081639/http...
What's inside the QR code menu at this cafe?
Let me scan it, what could possibly go wrong?
Sep 22, 2024
A few days ago, I went to a cafe near my home. I sat down and scanned the QR code on the table. It took me to a website displaying the cafe's menu. It asked me for my name and Whatsapp mobile number. I entered the details and placed the order.
In 5 mins my order arrived at the table. There was no OTP verification, and no one came to confirm the order. Is this what the peak ordering experience looks like?
It was a slow workday, and I thought I might as well open this QR code website on my laptop and have a quick look under the hood. Maybe I should've just made my own coffee and stayed home because I didn't realize I was opening a can of worms.
Type your email...
Subscribe
The QR code directed me to a website that ran on a dotpe.in subdomain. According to Dotpe’s website, they offer a "full stack food stack" for restaurants. The company was founded during the pandemic when contactless dining became popular. Google is one of their investors.
I opened my browser's dev tools to inspect the API requests - they looked OK. A request to get details of the cafe, a request to get all the items on the menu, a request to check if the store is running any promotional offers - just the usual stuff. Then I saw a couple of interesting requests:
/api/morder/suggestion/ongoing/items?storeID=XXXX
/api/morder/suggestion/items/purchase/history?merchantID=YYYY&storeID=XXXX
The first request listed the food items currently ordered at the cafe. The second returned how many times each item was ordered in the past month.
The coffee I had ordered showed up on the list of ongoing items. I looked around the cafe and noticed other food on tables matched items on the list too. This information should be for the cafe's admin staff only, so why can I see it?
The purchase history API provided a count of each food item ordered over the past month. The menu API gave the price of each food item. So I wrote a small script to calculate the cafe's dine-in revenue for the last month.
- Sort By
Very interesting read. I'm surprised that API was so easy to read - almost like an insult to any hacker.
Unfortunately we are living in times when there is zero privacy for individuals, zero transparency about stolen data and zero accountability for corps/govt.
Revenue of Bellandur Social, Bengaluru is on another level 😷
Crazy ! Never new social is clocking such high revenue.. genius business.. wondering what their spends are..
maybe it was intentional, the restaurant wanted to highlight their best seller item
Good and interesting read.
Well, well, well. Imagine the govt. Websites at state and national level. Would someone 🤔?? Yeah! They arrrest and harass if we prove.
There would be many websites/ apps doing these same things, thinking that users won't bother to check the url from app calls. Only experienced or educated devs would protect both ends of the API.
This is why a QC (with tech knowledge) is very much required for even small dev teams.
Am I old? Because I refuse to go to a restaurant with QR code menu. I need a physical menu boss.
It's all about India's data protection act
How much of data was leaked or stolen no idea till date
https://x.com/prstb/status/1838179660959465596?...