Adding to this, in some countries he is already past the gray-area to what constitutes as computer fraud.

Pissing off the company, whose systems you accessed without authorization, is one way of getting to experience the full force of the justice system.

Well, the link leads to a 404 so it seems like the author has been convinced.

> 37,529 restaurants use Dotpe for QR codes.

At that scale, it would take years to get fixed without forcing it like this.

It's too small for them to care about the liability of security and too large to move quickly

In this case? Nope. This must be treated as willful design decision to open up API to entire public (including PII/phone-number leak as per design), even if they say they totally didn't meant that to happen. Government itself should then be notified to go after these guys for failing to do the most basic access controls.

I mean, come on! To treat this as a proper security vulnerability just gives too much leeway for these fast-and-loose businesses/systems. It will just encourage more such crap to proliferate.

I am with the author on this one, I am fairly certain the issue of this was raised internally already, probably multiple times. Fortunately for the business, their management did the right decision - focus on quick and easy features, security is a non-issue, we will just blame the hackers and have legal channels deal with them. I mean, you even have people here berating someone uncovering gross negligence for Google-backed company. Why would businesses bother with basic security when they can play the victim so damn easy?

My main beef with these menus is that I can't see the entire menu on my phone screen, and end up scrolling up and down multiple times before I can decide what I want to order. With a paper menu my eyes can flick up and down much faster. It's like trying to edit spreadsheets on a phone - technically possible but a real pain in the arse.

Even worse when the weird ass website has links to multiple PDF documents to download.

Then you find out all the items you looked at aren't available when the waiter stares blankly at you about your order.

Turns out the dinner menu requires horizontal scrolling on the page to find.

Completely agree with you.

If a restaurant has a QR-code menu, I ask for a physical one.

If they don't have a physical one, I walk out.

I've done that many, many, many times.

Many people like being able to see what they are ordering. I've seen people order by pointing to pictures on Yelp instead of using the paper menu. Online menus with pictures of every dish are desired by plenty of customers.

I’m not sure if this could be considered “peak”. The ratio of waiting staff to customers is an obvious bottleneck.

This inefficiency is simply accepted and not even really thought about, it’s just the way things are. But one thing I can say for this tech is it fixed it and the difference is noticeable.

In Japan, many chains are using tablets for their menu, and you can order through that. That's much better than having to pull whatever from a QR code.

OMG .... 1000 upvotes ...

Even worse are the restaurants who require one table to be all ordered on one phone ... so one lemon ends up effectively being the waiter for the table and doing the ordering for everyone. Ask me how I know.

> custom app.

That is always the worst experience. The most painful apps always require you to spend another 7 minutes after installation; typing in and verifying your credit card information... That has to be the most convoluted paying experience.

I was almost shocked when I rented a Hertz car (via IKEA), that everything was done through a website. The website asked for permission to use the phone camera to take pictures of the car etc. and off we went. Such a good experience compared to fiddling with a new app..

The best implementation of QR code menu I've seen was as followed. There was a paper menu but could also order from QR. It was a well designed page to choose from, but the wait staff was still there and took order. We had the option to order from QR if we wanted. When they entered our order, the page (linked to our table through custom QR code) updated with our order. We could add items at any point or we could "call our wait staff" who would then come to our table. At any point we could just pay our bill and walk away. It was the same feeling of using an uber for the first time and just walking out of the car and not worrying about paying the driver.

Will call you old fashioned for that. I recently went to a restaurant with a large group of friends and they used toast tab for online ordering. The experience was much better than ordering in person. Each family was able to order and pay for themselves. We could add extra items to our order whenever we wanted.

Without the app I would've had to keep an eye for a roaming waiter, call them out and then place an order. This takes away from the dining experience. I also don't like to wait for the server to clear plates, take the card, swipe it and get it back. The old fashioned ways will disappear for good.

One of the restuarant chains mentioned in the author's post (Social), is an extremely crowded pub during the night and for the rest of the time, a place where freelancers or remote workers come in to work and socialize. At least that was the case in Bengaluru,India before Covid.

I would say that from the restuarant's point of view, having the order-from-app experience works out since the freelancers can order via their laptops whenever they want, without having to flag down a waiter. And during rush hours, tables could order what they want without having to spot and call a waiter among a very drunk dancing crowd.

Same here. I am even reluctant scanning any QR code and taking me to random web pages connecting my phone - and since phone is an extremely personal device, pratically an ID, so myself - to that place and time. I am not a fan of being traced, surveillanced more than avoidable, especially not fan of triggering it myslef. Giving away additional dat on myself on top of that. No thank you. And this is before considering the system exploiting the vulnerabilities of my device, insted of the other way around shown in the writing. I left a place because of their QR code primary order system. Waiters came around taking order the old fasioned way, but only in the gaps of serving the QR orders. No thank you.

Some apps are brilliant though - Wetherspoon pubs in the UK (despite not at all being the height of dining) have an app that works really well, I don't think I've ordered at a person there for at least 5 years.

A good server is an emissary from the kitchen, who knows the menu, and helps you find the best dishes. A great server establishes rapport with the regulars, anticipates their needs, makes them feel welcome and comfortable.

Unfortunately "server" is not considered a respectable career but something you put up with before your film career takes off, or how you pay your college tuition for that juicy psychiatric nurse degree.

So nobody can be paid enough, or retained long enough, to care about customers or the food. So 25 years from now, the best server will be a Roomba with a prominent QR on its back.

In this case, a weird-ass website that immediately demands your personal data.

As a fully capable person I can't stand being waited on. For me the peak ordering experience is I choose an item from some written menu with prices on it, ask for said item and pay exactly the price written on the menu. Then I either take item immediately or come to collect it later to take it to the table myself.

When I want to leave I just get up and go without the stupid ask to know how much I need to pay then ask again to actually pay with expectation that I pay more than what was asked like it's my choice to pay but really it isn't.

Completely agree. And it also allows opportunities for customization. Custom paper, cutting, presentation etc. Whereas on the phone, it's usually just a PDF or some responsive website.

A real waiter also allows for a human connection to be created. Experienced waiters (rather than part timers) can really help you make an order, give you recommendations etc. which makes the experience of dining out much nicer.

Agreed. I've been to restaurants that only had a QR code but were also a Faraday cage so I couldn't access it. Was absolutely ridiculous.

I have been to restaurants where they bring you a tablet that you keep at your table. It has the menu and everything on it. You order what you want from it, food or drinks, at any time and a waiter brings it to you.

I found the experience better than ordering from a waiter and better than using your own phone.

I've told that chains in China have now replaced this last bit "a waiter brings it" by a little robot.

Similarly old fashioned here. If there's no menu and/or no table (or bar) staff to take an order, I simply walk out.

Unfortunately the implementation that most Western countries took is pretty terrible. One of the highlights for me in China is the lack of menus in restaurants, I can still ask the staff questions if there are any but its nice being able to order add-ons throughout the meal without having to wave someone down.

You're right, you are old-fashioned. I love order by phone. Any amount of time I'm sitting at a table trying to get a waiter to notice me and come by just feels like agony. Let me tell you exactly what I want, exactly when I want it.

Completely agree. I'll tolerate PDF menus if it's a really good restaurant, chances are I already know what I want anyway. If they ask me to install apps on my phone I walk out.

I'm with you on that. There's something special about a personal interaction with a waiter and a paper menu

And a little button to call the waiter... I hate trying to make eye contact with a waiter in a big and busy place.

Peak is to me where we can sit and order and pay, and do not get interrupted so we can actually talk.

This is cheap restaurant experience, in good ones you always get the good old paper

Ah yes the peak experience is having to wait 10 minutes and catch an extremely busy person's attention just so you can order.

Most of these ordering systems (at least the ones that have survived COVID) are pretty good websites now. I don't remember ever having to use a custom app. It's a far superior experience.

(Oh yeah and I guess you may be American and have a very different eating experience to the rest of the world where waiters don't live off the arbitrary generosity of customers.)

[flagged]

> waiter that patiently takes the order.

Ah yes... superiority complex?

> Looking forward to seeing it more often

Not sure if you're serious after reading the paragraph where he ordered food for another table ;-)

"obviously overlooked backdoor"

This is the front door. It's not even open, it's taken off the hinges.

Scratch that, there never was a door in the first place, just a gaping hole right to the street.

I'm interested to know what the correct way to report this would have been? Specifically in this case. And what would one expect after reporting it? I've found many things like this and I only reported two (Genius, they said thanks) and Amazon (they replied but ultimately ignored it, and the issue is still there today)

> Looking forward to seeing it more often, especially in places where you're not looking for stellar service.

I loathe them perhaps even more than I loathe the order-kiosks that McDonald's has rolled out. My phone is smaller than the folded napkin, I would rather not have to scroll to examine a menu.

Regardless, a restaurant should think twice about outsourcing this kind of thing to a 3rd party that now has all of your (and your competitors) financials. Even if the API is better vetted, why would you trust this faceless, profit-motivated site with your data?

"Convenience" seems to be the way they market "getting rid of employees" these days — from self-service gas, self-checkout lanes, etc.

It’s definitely a more streamlined experience in some cases but for me it has more disadvantages

eh. this is india my dude

https://archive.is/Z7eIg

Thanks, apparently the article was taken down...

If you leave the gate to your yard wide open don't be surprised to find kids playing ball there.

And to add that he tried out the exploit on unknowing participants. It would be better to try this with a friend in-the-know at a separate table. It makes me think he did it more as a practical joke than testing his exploit, especially because he mentioned they were "not-too-intimidating-looking guys".

I'll admit it is a bit funny and the damage caused is tiny(just the price of the food). However, things like this do harm the reputation of bug-bounty hunters.

The author says "I refuse to believe they’re unaware of this. This doesn’t feel like an oversight, it's either a deliberate design decision or they just don't care." Agree that this is an uncharitable way of looking at it.

Is it a vulnerability when it is obvious the company do not care about security?

If you discovered an incompetent healthcare provider was prescribing antibiotics for every condition would you "contact them privately" or contact the relevant authorities?

Private disclosure is for when you believe the company cares about security but made a genuine mistake. For the company in the OP it would be more like free education in fundamental privacy and ethics. They're not entitled to that. Name and shame.

This is hardly a 0-day vuln exploit. This works as designed (and presumably design has been signed off etc)

is it really a vulnerability if the entire thing is open by design?

Disagree.

Most likely the company will blame them for trying to help. Also, if the company is so incompetent that they allow this why bother. He's not getting paid to be their test engineer.

This is why security researchers (threaten to) release this kind of information publicly. Reporting security issues doesn't fix anything until other people learn the details.

> Can you craft a QR code with the same data but change the timestamp to achieve for infinite refills?

Well, can you? :). It's the obvious next thing to try, given that Binary Eye is conveniently also a barcode generator, not just a scanner.

>Can you craft a QR code with the same data but change the timestamp to achieve for infinite refills?

I'm hoping nobody is this naive to let your client have mission critical info to implement something as crucial as giving a discount or refills in your case. It would be just be an extra column in your db table, the only identifier available to the user should be just the UUID, along with some identifier.

I almost got into big trouble at school for "hacking a teachers email". I guessed their email address (they were systematically generated) and sent an email. It's true you can get into trouble for this, but we need to all take it upon ourselves to make sure this doesn't happen. If this guy got into trouble I would hope every software engineer would be up in arms defending them.

Eh it was not just that, weev obviously had evil intent. (I wonder what's up with him now, last time I read his blog, he was posting neo-nazi posts from Ukraine)

Isn't service taken into account in the price of the meals?

> I agree with other comments that posting the whole financials of a company does not seem like a good idea

Probably. But IMHO it's the right/moral thing to do, posting/showing how to access their client data is of course hardly justifiable.

It's still there on archive.org https://web.archive.org/web/20240923053856/https://peabee.su...

Check the thread here: https://x.com/deedydas/status/1838137082683728323?s=46

According to Twitter they removed it due to a legal notice from Dotpe, author still seems to believe he was just accessing public data unfortunately which does not look good for him should Dotpe choose to take it further

"Why were you at X when you told me you were at Y? And why did you order for 2 people? Why have you been going there for the last Z months?"

"By following the pattern of when you were there and what you ordered, I found the other person's details too"

In the EU the leak of the mobile number alone would be sufficient for this to count as a serious breach

No, that's the most inconvenience you can cause. There are worse things you can do: target specific people with spurious orders, cancel everything they order, or if you want add random items to every order, making the entire system useless.

Aren't phone numbers being leaked if you iterate over the tables?

Let's not forget though that these systems aren't made to make your ordering experience better (they do the opposite) - they're literally made to make it easier for more "random strangers" look over your shoulder and watch what you're eating. Strangers working for the vendor, working for the QR-menu solution provider, working for various marketing companies, etc.

Feels like a proof of concept demo app built by an intern.. to which the customer said: perfect! launch this in production tomorrow

Author is afraid they conmitted fraud according to Indian laws

https://archive.is/hVKzw#selection-853.37-853.44

Maybe someone from the company behind the API got in contact with him.

https://archive.ph/Z7eIg

Yes. It was an article from someone who went into a café which had a QR code based ordering system. After ordering through the system they decide to open their laptop and inspect/look at the API of the system (a system apparently used across India).

They realize that the whole API does not use authentication or authorization and start reverse engineering it/trying out various endpoints. They can then do things like ordering stuff for other tables, calculate earnings of restaurants, etc.

They probably took it down because they disclosed it publicly directly instead of contacting that QR code based ordering service provider (which I won't mention the name of).

Given that this is a substack which has a newsletter, this article has probably reached many people before being taken offline.

I looked around to find a security contact at DotPe, and couldn’t find anything. Hopefully, this HN post raises enough alarms.

I think it was a sarcastic way to stress how low effort the whole endeavour required.

India today picked up: https://www.indiatoday.in/business/story/dotpe-security-laps...

A better way would be to note down scammers numbers then fill those in instead.