Adding to this, in some countries he is already past the gray-area to what constitutes as computer fraud.

Pissing off the company, whose systems you accessed without authorization, is one way of getting to experience the full force of the justice system.

In this case? Nope. This must be treated as willful design decision to open up API to entire public (including PII/phone-number leak as per design), even if they say they totally didn't meant that to happen. Government itself should then be notified to go after these guys for failing to do the most basic access controls.

I mean, come on! To treat this as a proper security vulnerability just gives too much leeway for these fast-and-loose businesses/systems. It will just encourage more such crap to proliferate.

I am with the author on this one, I am fairly certain the issue of this was raised internally already, probably multiple times. Fortunately for the business, their management did the right decision - focus on quick and easy features, security is a non-issue, we will just blame the hackers and have legal channels deal with them. I mean, you even have people here berating someone uncovering gross negligence for Google-backed company. Why would businesses bother with basic security when they can play the victim so damn easy?

My main beef with these menus is that I can't see the entire menu on my phone screen, and end up scrolling up and down multiple times before I can decide what I want to order. With a paper menu my eyes can flick up and down much faster. It's like trying to edit spreadsheets on a phone - technically possible but a real pain in the arse.

You're right, you are old-fashioned. I love order by phone. Any amount of time I'm sitting at a table trying to get a waiter to notice me and come by just feels like agony. Let me tell you exactly what I want, exactly when I want it.

In Japan, many chains are using tablets for their menu, and you can order through that. That's much better than having to pull whatever from a QR code.

> custom app.

That is always the worst experience. The most painful apps always require you to spend another 7 minutes after installation; typing in and verifying your credit card information... That has to be the most convoluted paying experience.

I was almost shocked when I rented a Hertz car (via IKEA), that everything was done through a website. The website asked for permission to use the phone camera to take pictures of the car etc. and off we went. Such a good experience compared to fiddling with a new app..

I’m not sure if this could be considered “peak”. The ratio of waiting staff to customers is an obvious bottleneck.

This inefficiency is simply accepted and not even really thought about, it’s just the way things are. But one thing I can say for this tech is it fixed it and the difference is noticeable.

Even worse when the weird ass website has links to multiple PDF documents to download.

Then you find out all the items you looked at aren't available when the waiter stares blankly at you about your order.

Turns out the dinner menu requires horizontal scrolling on the page to find.

One of the restuarant chains mentioned in the author's post (Social), is an extremely crowded pub during the night and for the rest of the time, a place where freelancers or remote workers come in to work and socialize. At least that was the case in Bengaluru,India before Covid.

I would say that from the restuarant's point of view, having the order-from-app experience works out since the freelancers can order via their laptops whenever they want, without having to flag down a waiter. And during rush hours, tables could order what they want without having to spot and call a waiter among a very drunk dancing crowd.

Many people like being able to see what they are ordering. I've seen people order by pointing to pictures on Yelp instead of using the paper menu. Online menus with pictures of every dish are desired by plenty of customers.

Some apps are brilliant though - Wetherspoon pubs in the UK (despite not at all being the height of dining) have an app that works really well, I don't think I've ordered at a person there for at least 5 years.

OMG .... 1000 upvotes ...

Even worse are the restaurants who require one table to be all ordered on one phone ... so one lemon ends up effectively being the waiter for the table and doing the ordering for everyone. Ask me how I know.

In this case, a weird-ass website that immediately demands your personal data.

I'm with you on that. There's something special about a personal interaction with a waiter and a paper menu

Agreed. I've been to restaurants that only had a QR code but were also a Faraday cage so I couldn't access it. Was absolutely ridiculous.

A good server is an emissary from the kitchen, who knows the menu, and helps you find the best dishes. A great server establishes rapport with the regulars, anticipates their needs, makes them feel welcome and comfortable.

Unfortunately "server" is not considered a respectable career but something you put up with before your film career takes off, or how you pay your college tuition for that juicy psychiatric nurse degree.

So nobody can be paid enough, or retained long enough, to care about customers or the food. So 25 years from now, the best server will be a Roomba with a prominent QR on its back.

I have been to restaurants where they bring you a tablet that you keep at your table. It has the menu and everything on it. You order what you want from it, food or drinks, at any time and a waiter brings it to you.

I found the experience better than ordering from a waiter and better than using your own phone.

I've told that chains in China have now replaced this last bit "a waiter brings it" by a little robot.

Ah yes the peak experience is having to wait 10 minutes and catch an extremely busy person's attention just so you can order.

Most of these ordering systems (at least the ones that have survived COVID) are pretty good websites now. I don't remember ever having to use a custom app. It's a far superior experience.

(Oh yeah and I guess you may be American and have a very different eating experience to the rest of the world where waiters don't live off the arbitrary generosity of customers.)

As a fully capable person I can't stand being waited on. For me the peak ordering experience is I choose an item from some written menu with prices on it, ask for said item and pay exactly the price written on the menu. Then I either take item immediately or come to collect it later to take it to the table myself.

When I want to leave I just get up and go without the stupid ask to know how much I need to pay then ask again to actually pay with expectation that I pay more than what was asked like it's my choice to pay but really it isn't.

> waiter that patiently takes the order.

Ah yes... superiority complex?

If you leave the gate to your yard wide open don't be surprised to find kids playing ball there.

> Looking forward to seeing it more often

Not sure if you're serious after reading the paragraph where he ordered food for another table ;-)

It’s definitely a more streamlined experience in some cases but for me it has more disadvantages

"obviously overlooked backdoor"

This is the front door. It's not even open, it's taken off the hinges.

Scratch that, there never was a door in the first place, just a gaping hole right to the street.

eh. this is india my dude

And to add that he tried out the exploit on unknowing participants. It would be better to try this with a friend in-the-know at a separate table. It makes me think he did it more as a practical joke than testing his exploit, especially because he mentioned they were "not-too-intimidating-looking guys".

I'll admit it is a bit funny and the damage caused is tiny(just the price of the food). However, things like this do harm the reputation of bug-bounty hunters.

The author says "I refuse to believe they’re unaware of this. This doesn’t feel like an oversight, it's either a deliberate design decision or they just don't care." Agree that this is an uncharitable way of looking at it.

This is hardly a 0-day vuln exploit. This works as designed (and presumably design has been signed off etc)

Is it a vulnerability when it is obvious the company do not care about security?

is it really a vulnerability if the entire thing is open by design?

Disagree.

Most likely the company will blame them for trying to help. Also, if the company is so incompetent that they allow this why bother. He's not getting paid to be their test engineer.

If you discovered an incompetent healthcare provider was prescribing antibiotics for every condition would you "contact them privately" or contact the relevant authorities?

Private disclosure is for when you believe the company cares about security but made a genuine mistake. For the company in the OP it would be more like free education in fundamental privacy and ethics. They're not entitled to that. Name and shame.

This is why security researchers (threaten to) release this kind of information publicly. Reporting security issues doesn't fix anything until other people learn the details.

> Can you craft a QR code with the same data but change the timestamp to achieve for infinite refills?

Well, can you? :). It's the obvious next thing to try, given that Binary Eye is conveniently also a barcode generator, not just a scanner.

I almost got into big trouble at school for "hacking a teachers email". I guessed their email address (they were systematically generated) and sent an email. It's true you can get into trouble for this, but we need to all take it upon ourselves to make sure this doesn't happen. If this guy got into trouble I would hope every software engineer would be up in arms defending them.

Eh it was not just that, weev obviously had evil intent. (I wonder what's up with him now, last time I read his blog, he was posting neo-nazi posts from Ukraine)

Isn't service taken into account in the price of the meals?

Let's not forget though that these systems aren't made to make your ordering experience better (they do the opposite) - they're literally made to make it easier for more "random strangers" look over your shoulder and watch what you're eating. Strangers working for the vendor, working for the QR-menu solution provider, working for various marketing companies, etc.

"Why were you at X when you told me you were at Y? And why did you order for 2 people? Why have you been going there for the last Z months?"

"By following the pattern of when you were there and what you ordered, I found the other person's details too"

In the EU the leak of the mobile number alone would be sufficient for this to count as a serious breach

Aren't phone numbers being leaked if you iterate over the tables?

No, that's the most inconvenience you can cause. There are worse things you can do: target specific people with spurious orders, cancel everything they order, or if you want add random items to every order, making the entire system useless.

I looked around to find a security contact at DotPe, and couldn’t find anything. Hopefully, this HN post raises enough alarms.

I think it was a sarcastic way to stress how low effort the whole endeavour required.

A better way would be to note down scammers numbers then fill those in instead.