top | item 41623161

(no title)

rococode | 1 year ago

Not to be a party pooper, but posting detailed financial analysis of the exact sales data of a multi-million dollar business using numbers obtained through an obviously overlooked backdoor seems like a very bad idea. Haven't people have gone to jail for less? (iirc "but it was an insecure API" has not held up in court in the past)

On a more positive note, I've used a QR menu recently and it really is a game changer. Scanned a code, pressed a few buttons, and my food was there in minutes! Looking forward to seeing it more often, especially in places where you're not looking for stellar service.

discuss

Tepix|1 year ago

> Looking forward to seeing it more often

Not sure if you're serious after reading the paragraph where he ordered food for another table ;-)

snypox|1 year ago

When implemented properly, it’s a convenient system. I enjoyed using it at the Stockholm airport a few months ago.

rococode|1 year ago

Haha :) Looking forward to seeing it more often... with proper security

hoseja|1 year ago

"obviously overlooked backdoor"

This is the front door. It's not even open, it's taken off the hinges.

Scratch that, there never was a door in the first place, just a gaping hole right to the street.

msephton|1 year ago

I'm interested to know what the correct way to report this would have been? Specifically in this case. And what would one expect after reporting it? I've found many things like this and I only reported two (Genius, they said thanks) and Amazon (they replied but ultimately ignored it, and the issue is still there today)

ldjb|1 year ago

First thing I would do is look for a security.txt file or search to see if they operate some kind of bug bounty. Failing that, I would browse their website or search for contact details (or even just a contact form). WHOIS can be useful for this. Ideally you'd want some kind of security contact, or a technical contact, but other times you have to make do with the general contact email/form.

In this specific case, they have a general email address at the bottom of their privacy policy, so that's what I'd use.

I'd send them an email along the lines of "I found a security issue with your website; how would you like me to report it to you?". Then they'll hopefully put me in touch with the right person.

In terms of what I'd expect… If they operate a bug bounty (which they don't in this case) then I'd expect what's on offer. If not, it would depend. I often don't expect anything. There have been businesses I've disclosed security vulnerabilities to that are shady enough that I've refused the reward they offered. Sometimes I don't want anything to do with them.

JKCalhoun|1 year ago

> Looking forward to seeing it more often, especially in places where you're not looking for stellar service.

I loathe them perhaps even more than I loathe the order-kiosks that McDonald's has rolled out. My phone is smaller than the folded napkin, I would rather not have to scroll to examine a menu.

Regardless, a restaurant should think twice about outsourcing this kind of thing to a 3rd party that now has all of your (and your competitors) financials. Even if the API is better vetted, why would you trust this faceless, profit-motivated site with your data?

"Convenience" seems to be the way they market "getting rid of employees" these days — from self-service gas, self-checkout lanes, etc.

eleveriven|1 year ago

It’s definitely a more streamlined experience in some cases but for me it has more disadvantages

2Gkashmiri|1 year ago

eh. this is india my dude