> I would have thought about privately disclosing these findings to Dotpe. But all the API requests are right there in plain sight...
There are pretty common ethical standards about disclosing vulnerabilities privately before disclosing them publicly. I don't see how the obviousness of the vulnerability changes the situation. By warning the company, you give them the opportunity to remedy the problem before announcing to the world that anyone with a laptop can exploit it. Probably they were just hoping that nobody would notice, which is stupid of course, but now they don't have the chance to build up a better wall before the flood of fake orders that could cause real harm to the small businesses whose financial information you disclosed online.
Perhaps I'm being too optimistic about how the company would respond, but I still think it's hard to justify not doing a private disclosure.
The gist of some various laws around the world is that simply obtaining credentials does not authorize you to access the system, and accessing it without authorization is the illegal part.
This principle is clear if you apply a real world analogy. Just because you happen to have keys to a building doesn't mean you can enter without authorization from the owner. (E.g. you may have kept copies after a lease expires or a sale, it maybe you found them, etc.)
Considering it’s a API available without any authorization, the better comparison would be walking around on unfenced private land. There’s nothing to indicate they don’t want people on it but it’s also obvious it’s private land.
Walking around isn't usually a big deal until told to leave (verbally or by way of conspicuously posted signs), since that is a prerequisite to trespassing. Otherwise, delivery people would operate in a gray area which would be very problematic for them, since not all deliveries are requested by the recipient/owner.
However, although you are free to walk around in search of the front door, you can't start eating the fruit off the trees. Perhaps that's the better analogy: the trees are happy to serve up a delicious treat for anyone requesting something of it, but that doesn't mean the tree sets the rules. Just because fences preventing this are popular doesn't make them compulsory.
It doesn't matter. It's still just as illegal to get into an unlocked car or one with wide open doors without permission. The same premise applies to computers in a lot of places, access controls don't matter. If you access something on a computer not indented to be accessible, it's considered a crime.
Is it illegal, in fact? If a cop saw you, you'd be arrested and prosecuted for attempted auto theft, and your "I just wanted to see how comfy the driver's seat was" defense would ring hollow in court. But sitting in an unoccupied car without authorization isn't trespassing unless it's parked on the owner's land, and I'm not sure what other laws would apply to that specific act.
Defeating access control by using credentials that aren't yours is fraud.
Like, if you found a company badge laying around, go to that office and flash the badge to the security guard and go in. You've committed fraud by tricking the guard into thinking you're authorized to enter when you weren't.
TFA mentioned sending requests with a table number that the sender was not at. That is hardly any different from the idea of showing a badge that wasn't issued to you. The ease of spoofing doesn't matter at all, in the eyes of such laws.
The same could be said about typing any URL that wasn't knowingly supplied to you by the owner, but a "reasonableness test" in court would sort those out from nefarious activity.
Interestingly enough, the very lawsuit-happy nature of a major german party has "backfired" quite a bit recently. A security researcher was found not guilty of circumventing security measures or accessing authorized computer systems or resources without authorization, because there were no security measures or authorization on the API to circumvent.
Though note that this would not help one if one started to use or abuse the API to get free food or cause financial damage to a restaurant through fake orders. For example, ordering the corn soup through the API could really backfire if someone wants to present it as good old fraud or theft, or if the recipient of the unexpected soup got into trouble and started to look for someone to hand the damages to.
If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network
- (a) accesses or secures access to such computer, computer system or computer network or computer resource;
- (b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
[...]
- (e) disrupts or causes disruption of any computer, computer system or computer network;
[...]
- (g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
If any person, dishonestly or fraudulently, does any act referred, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.
====
Though, I prefer a lot the poster of the blog post than the company...
He wasn't prosecuted for logging in and looking around. He overtly did copyleft type things like finding ways to take copyrighted journal articles and release them into the public domain. Overzealous prosecution for sure regardless.
> On July 11, 2011, he was indicted by a federal grand jury on charges of wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer.
> On November 17, 2011, Swartz was indicted by a Middlesex County Superior Court grand jury on state charges of breaking and entering with intent, grand larceny, and unauthorized access to a computer network.
> On September 12, 2012, federal prosecutors filed a superseding indictment adding nine more felony counts, increasing Swartz's maximum criminal exposure to 50 years of imprisonment and $1 million in fines.
The only civil copyright proceedings were JSTOR settling with him out of court.
He accessed their computers to access purchase information of other people (e.g. his friend) and business data. I guess making it public, thereby damaging the companies reputation and potentially getting sued by their lawyers is one way to find out, whether he was "unauthorized" to do so.
People have been convicted of hacking for merely editing URL strings, under the theory that were knowingly accessing systems in ways that they were not supposed to. This would be similar.
Whether or not that seems reasonable to us is a different matter, but basically it boils down to the fact that "they left the door unlocked" doesn't make it legal to walk in.
> At that scale, it would take years to get fixed without forcing it like this.
But it also might not take years. The point of responsible disclosure is to give them the opportunity. If they don't take it, fine - that's now on them.
Instead this guy is committing fraud with actual financial damages (wasted food) and then sharing how others can commit the same fraud on a massive scale, potentially causing more damage. This is now on him and Dotpe, not Dotpe alone.
Is that legally true? The legal risk of having published this without responsible disclosure vanishes if the conventional period of opportunity is ignored? That smells fishy.
I'm not a lawyer so I'm not speaking to the legality of this. Legality is not the only thing that matters.
If you publish an exploit without at least making an attempt to fix it, and someone follows you and exploits it, then there's a direct moral line between you and that exploitation. They more likely than not wouldn't have exploited it without you putting that published info in their path. It's now on you, them and the company, morally. Any damages that result from this interaction are because you and the company enabled them to happen.
That's different to someone else stumbling on it and exploiting it. That's purely on the company and the exploiter.
In this case? Nope. This must be treated as willful design decision to open up API to entire public (including PII/phone-number leak as per design), even if they say they totally didn't meant that to happen. Government itself should then be notified to go after these guys for failing to do the most basic access controls.
I mean, come on! To treat this as a proper security vulnerability just gives too much leeway for these fast-and-loose businesses/systems. It will just encourage more such crap to proliferate.
I am with the author on this one, I am fairly certain the issue of this was raised internally already, probably multiple times. Fortunately for the business, their management did the right decision - focus on quick and easy features, security is a non-issue, we will just blame the hackers and have legal channels deal with them. I mean, you even have people here berating someone uncovering gross negligence for Google-backed company. Why would businesses bother with basic security when they can play the victim so damn easy?
Author is in India, I would be very careful because it's much more likely the government will prosecute them for unauthorised access and irresponsible disclosure than do anything to the company.
Truth is even in the west this kind of irresponsible disclosure could land you in jail, much more so in a developing country where these laws are all relatively new.
The API being unauthd is clearly a core design choice, and finding out any customer or service data is openly accessible with consecutive numbers through that API is not a zero day or something.
There is no "responsible disclosure" to be made here, going to the company and explaining what's the issue with all of this amounts to "handing out free consulting" if anything
Unfortunately that is not how the law works, at least in most countries. As soon as you enumerate ids regardless of whether there is any security in place it is unauthorised access and it's illegal.
Right, I believe they're posting as if the ethical standpoint is normalized, to further highlight the absurdity and injustice of the current legal framework.
Why is it unjust to prosecute people who harm a business and unsuspecting customers of that business by disclosing 0-day vulnerabilities publicly without giving them even a chance to patch?
The poster here has no proof that the vulnerability was already being exploited. For all we know, as obvious as this was, no one else had yet thought to look.
This is like going around people's house doors, testing to see if they are unlocked, and if they are, posting a big sign saying "unlocked door" on each one. It's obviously an anti-social act masquerading as benevolent, and it should be punished. Of course, the company running such highly vulnerable code should also be punished, but that doesn't absolve anyone.
Your metaphor is a big stretch. We're talking about a business and the expectations we should have for businesses.
Noticing an overhead pipe at McDonald's is dripping onto the griddle and pointing it out to people isn't harming the business, it's pointing out the business' gross negligence.
I don't agree with your alternate metaphor. In your example, publicly pointing out the leaking pipe can't cause any damage to the existing clients. In this case, publicly pointing out an exploitable vulnerability that gives access to personal information does bring extra harm to the customers.
If you want, a more apt comparison might be going around a business park and sticking big signs on every unlocked archive door you find. The companies not properly locking the doors are at fault, and customer data may already have leaked; but, you are virtually guaranteeing that even more customer data will leak by doing this. It should absolutely be illegal.
Seems outlandish. Citation needed? I'm aware of a couple of cases in the US, but not all over the world.
Secondly: can consumers be blamed for gross negligence? It's not reasonable for a bank to post account balances in public billboard and ask people not to look at others. We should contest when private data is available publically, hidden only by small obfuscations, not professional security practices.
So for example in the UK with the computer misuse act, intent matters. If you intentionally change an id because you expect you will be able to access other data it becomes a crime.
Your example is flawed because in this case the private data was not made available publicly at all – you need to intentionally exploit a software flaw to access it.
Of course, it also matters how you handle it. If you do enough to just discover the flaw, try to adhere to the bug bounty program scope (if any), use your own accounts in testing and responsibly disclose any findings as soon as you have a poc then you'll probably be ok.
In this case the author went way beyond just finding the flaws, and then disclosed it publicly in a completely irresponsible way without even trying to contact the company or any of the clients affected by it (some of which will certainly have a security contact that can liaise with the vendor)
Maybe a better analogy is a bank with open lockers and no vigilance: if someone enters and steals money, the police will look for them, because "the coffers were open" is not a valid defense. But customers will also demand answers from the bank - why were they so negligent and incompetent that someone can just enter and get their money?
We should hold similar values for digital systems.
Was the author's intent on stealing private data and causing harm? Did he gain from this abuse? Did the company take enough measures to safeguard their data?
Companies have been mostly not held responsible for their fuck ups, and no matter the law, that's wrong to me.
There are exactly two activities you can be participating in if you are exploring someone else's undocumented API: (1) free consulting, or (2) illegal hacking. Disclosing vulnerabilities you found in someone else's product, regardless of how obvious, is free consulting. If you're not responsibly disclosing them, then you were illegally hacking their systems.
> Is this what the peak ordering experience looks like?
Call me old-fashioned, but to me the peak experience is a paper menu to choose from, and a waiter that patiently takes the order. Far prefer that to everyone at the table fiddling on their phones in some weird-ass website or even god forbid custom app.
My main beef with these menus is that I can't see the entire menu on my phone screen, and end up scrolling up and down multiple times before I can decide what I want to order. With a paper menu my eyes can flick up and down much faster. It's like trying to edit spreadsheets on a phone - technically possible but a real pain in the arse.
Reminds me of how some people mocked me for having O'Reilly and such massive reference books when I started learning Python and Ruby. "But everything's online!" they claimed. Sure, but nothing's faster than browsing the index for what you're looking for and then skimming the section you're interested in, as opposed to going back and forth StackOverflow threads and random blogs.
Currently renovating my house and I again bought 400+ pages reference books of plumbing and electricity, largely sparring me the need to endure endless YouTube videos littered with skits, sponsorships etc. Just straight to the point, factual information.
Online documentation is good if you already know what you're looking for. It is shit if you want to discover what is available. I am specifically thinking of the python docs and the time I, as a not-python programmer, wanted to see the various "grouping" types (lists, arrays, sets, dicts, tuples, whatever).
At least the screen is only touced by you. My peril are the touch screen ordering places (practically all fast food places nowadays) where based on their outlook hygienically challanged persons swipe their fingers up and down for long before you have a chance following them. There is an icecream place opened nearby I had no chance trying because they only have touchscreen order. Guys at the till only serve icecream and all orders must go through the touch screen. They put the icecream into a cone - if you dared to ordered so - and put into the fingers of the customer who just swiped the same finger over a screen swiped by dozens of unknow people before. Oi!
Do you get a freshly-printed paper menu every time? From the hygiene standpoint, remote-ordering from your phone is the best, screens are worse (but at least you can wipe them before use) and paper menus are the worst, since it may be harder to disinfect them.
It was beyond the phone screen based matters you see (which is a great dirt magnet beyond toilet seats actually, like keyboards, coming from the need of constant touch in all and every life situations). I believe you hold paper menu without the need of smearing the matter on your skin all over it you know (or just leave alone on the table if it is one page), unlike touch screens where it is a must ... Also the fast food places stear people towards glass surfaces smearing the cover of their skin all over normally had no menus, just look up and say what you want. Now, you must touch all over like the handle of the public toilet, only more! Different scenario.
No, they are laminated to protect from spills that damage the menus and require a replacement. The places with laminated menus are not concerned about your health when making the lamination decisions. Otherwise, do you assume by their being laminated that the staff dutifully washes/disinfects them after being collected from each table every time? I can assure you they are not. They are only wiped off when they are spilled upon, and not even that well.
I don't mean to be too forceful about this, but how is a common touchscreen ordering system any better or worse than the door handle you used to walk in?
I wouldn't use the entrance door as example due to automatic doors in most places, but lets assume the toilet door handle, that is even more disgusting.
I would say that there is no difference! : )
Except not everyone is using the toilet door handle, and not for prolonged time, holding and swiping for long seconds or minutes, no, unlike with a touch screen ordering system, which they swipe around for looong, each of them ordering, making sure all the content of their skin is thorougly applied on the surface, practically everyone does that - except me in case I have the option going to the till and order by speaking (before someone niggle: I stand back and not spraying saliva :) ).
I find it absolutely annoying that our phones with amazing pixel density limit the max zoom out for some reason. If I want 5x8 font on my 1080p phone screen why not let me?
For me peak worse is tables where you get dealt with a single iPad, even when visiting with six people. Which you then get to pass along. And then the 'tech experts' take care of ordering for those who don't get computers, like many elderly folks.
Many people like being able to see what they are ordering. I've seen people order by pointing to pictures on Yelp instead of using the paper menu. Online menus with pictures of every dish are desired by plenty of customers.
The invention of color photography, and large and small format color printing, make it unnecessary for the whole thing to be online. You can have pictures without all the issues of online - like small, low-resolution screens (relative to paper all screens are low-res screens), and being coerced to give away personal data.
I've been to restaurants that have pictures of every dish on the menu. Those menus end up being the size of large books, and in one case the menu was delivered in the form of a three ring binder with laminated pages to flip through.
Good menu layout and design costs money, laying out 30 or so pages with full pictures of every dish, and then printing a bunch of those up, is not reasonable.
Meanwhile online menus can be searched and filtered through.
That said I think that online menus are generally sub-par compared to paper, mostly because paper is better than a screen for most things, for people who don't know a given cuisine, pictures are essential.
If it were this easy, they would've printed images on menus long ago. Which a few restaurants actually do, but usually only a few dishes. That said, I refuse to go to any restaurant that has a QR code menu,
It's not hard. It's just a bit more work - enough that it starts requiring a professional to be involved (graphics design, photography, coordinating print), whereas traditional menus can be half-assed[0] by anyone with passing familiarity with Word and access to the office printer.
In contrast, the digital menus usually come as a solution, packaged with a promise of some juicy business analytics, so the restaurant only needs to sign the contract and send over some files - that's even less work than regular paper menus.
So no surprise they're jumping to "high tech" - they're really outsourcing menus to a marketing company.
--
[0] - I don't know how things are at the very highest tier of restaurants for the rich, but for those accessible to less rich, it seems the higher-end the restaurant is, the worse the menu is. Bad design, typos, etc. I suppose having an established reputation allows them to get careless about the minor details.
I would expect the most expensive part to be printing and laminating those menus, which will also be longer due to the space used on images. Then they need to be cleaned, possibly updated, and will still go bad over time.
Printing is cheap and, even with a half-decent consumer-grade inkjet or laser printer, takes very little labor. Laminating is much more labor-intensive, though it's not bad as long as you stick to a standard paper size[0].
In my experience, somehow, in the transition to digital and past worries about "dead trees", most people missed the fact that paper and printing are dirt-cheap these days[1], and if you account for e-waste, often much more environment-friendly than digital alternatives.
--
[0] - We bought a laminating machine recently, so my wife could make various educational tools for our kids herself. It quickly stops being fun once you're trying to laminate a bunch of arbitrarily-cut shapes on a single shit; keeping things aligned is a PITA.
[1] - Well, not if you're paying a print shop. I think that biases the intuition for many. Even color printing is too cheap to meter if you have a half-decent printer at home.
I've been to restaurants with home printed laminated menus. It cheapens the entire experience, to an incredible degree.
The inks fade very quickly, the lamination job feels like, well, a elementary school art project, and there is no way a nicer upscale establishment is doing this. (And with food prices being what they are, almost everyplace now days is a "nicer" place!)
Meanwhile there is a damn good reason that the fancy expensive cocktails at get their own full color advert at every table! Making food look good, with high quality design and printing, makes the food look more desirable.
Really fancy restaurants update the menu frequently as well, at least seasonally if not more often. Sometimes they leave a version number or revision date at the bottom!
> pictures of every dish are desired by plenty of customers.
I'd expect my waiter to look rather puzzled if I asked for a picture of my food, and also perhaps be politely remined that I am not in a fast food outlet.
Besides, for anyone completely lost in a restaurant with unfamiliar dishes (on holiday perhaps) the age-old solution is to simply ask the waiter for recommendations, or point at another diner's dish if that looks good. Or just choose the dish of the day — it's usually the best option anyway if you picked a decent restaurant.
My go to criteria for picking a restaurant is "do I not recognize the dishes they are serving?" As in, I prefer to go to places where I don't recognize anything on the menu.
I'll rotate through eating at a handful of restaurants until I've sampled everything on the menu, then I'll go look for a new batch of restaurants to try out.
In other words, my day to day is being in a restaurant with unfamiliar dishes!
That said I have no qualms ordering a dish and not having any idea what I'll be getting, but I know plenty of adventurous eaters who want to have at least a general idea of what they'll be getting and having a bunch of pictures available is easier than asking the waiter to describe every dish in a menu for a new cuisine.
(The one flaw with this plan is my rate of exploration is greater than the rate of new restaurants opening in my area, even living in a major west coast city, so I have to keep travelling farther and farther from home to find new places to eat! Also different cultural groups centralize in different places, which can lengthen the commute needed to find good food!)
There's a whole industry of food photography and even creating durable fake food to sit on the counter to advertise dishes. Seeing is believing .. and advertising. Can also convey more detail about what's in something and how much you get.
I have a soft spot for cafeteria-style "point to order" systems myself, especially when there's a language barrier. But that does impose a certain industrial feel on an establishment.
Some restaurants in my city use a middle-ground solution: there's a tablet on each table (running Android, of course) on which you can order and pay (but that part is full of dark patterns, unfortunately). But you also still get a paper menu. And paper menus with pictures are great.
Even worse are the restaurants who require one table to be all ordered on one phone ... so one lemon ends up effectively being the waiter for the table and doing the ordering for everyone. Ask me how I know.
In Japan, many chains are using tablets for their menu, and you can order through that. That's much better than having to pull whatever from a QR code.
This might be the best of both worlds.
The advantages of digital ordering for both customers and restaurants are:
- staff can keep the menu up to date, basically realtime (they have to do it tho)
- orders can directly land in the kitchen instead of through the waiting staff, which may or may not be coming
- payment can also be done thst way
Of course there are more advantages for the restaurants that may or may not go counter to the interests (or rights!) of their customers. E.g. the ability to easily build profiles and sell that data to the highest bidder.
There are downsides too:
- digital menus can fail more easily than paper menus
- congrats you are a waiter, and now IT-support as well
- customers without phones, no/sucky internet or devices that fail to display the menu are out of luck, so you have to provide offline alternatives/own devices that need their own maintenance
- options that are not in the menu and fields that are not offered cannot be filled, e.g. can be a problem if you are allergic rtc.
- unpersonal. Most people prefer not having to jump through hoops.
Using a tablet that is provided by the restaurant can aleviate many (but not all) of these issues.
Yep but many many more have handwritten menus in kanji on the walls, I can read many kanjis by now and I'm still pretty swamped by trying to interpret every shop's different handwriting.
At least once you start decoding the drink section (much more consistent) then you can go back and try to interpret the rest.
Also in Japan, many restaurants have a vending machine you order from and pay at, then you get a ticket that you hand to the kitchen staff, who make your meal. They have been doing this for a long time.
I Japan, with their obsession about cleanliness, I can imagine that those tablets are thorougly wiped between each customer. But not in other countries.
Good point, I'd only suspect harder to pick up residue from the porus paper than the smooth glass, and if the paper is made of wood then that is antiseptic by nature. It is true I seen paper menus I did not want to touch, it was replaced so long ago having sample of the food selection and the previous guest's choices on them plenty ... : ) At least some of those one paged ones work just by looking at them in contrast of touch devices mandating the tap and swipe to present things.
I am not aware of that aspect at all, but cleaning and cleanliness is in focus in general, from childhood, cities are more tidy even by look and the sight of the lady washing up (properly, with water, sponge, having a custom belt with containers for the tools and liquids used in the process) the sidewalk after cleaning up the poo of her dog is burnt into my retina.
An even nicer and cheaper middle ground is a color-printed menu with photos, and/or a larger menu with photos over the counter. For customer, it's all the benefit of a digital menu with none of the downsides.
Of course, all the downsides are the very reason restaurants are switching to digital menus in the first place, which is something people need to be reminded of. In cases of "I can't believe they replaced a perfectly good X with inferior but 'modern tech' Y", the surprise is usually the person not realizing the vendor is adversarial, and Y is giving some extra benefit to them at the expense of the customer.
I’m not sure if this could be considered “peak”. The ratio of waiting staff to customers is an obvious bottleneck.
This inefficiency is simply accepted and not even really thought about, it’s just the way things are. But one thing I can say for this tech is it fixed it and the difference is noticeable.
inefficiency? It's part of the experience. I'm not in a restaurant or café to drink as fast as possible. I'm there to socialize as well. Waiting a bit is not a bottleneck, but a feature. (If I wanted speed, I'd take the drive-through).
There are plenty of comments disagreeing with you, but I'm fully in agreement.
As for the arguments that QR codes are somehow a time-saver, they can be a real time waster. Find phone (not glued to my eyeballs), scan QR, swerve option to install app, wait for enormously bloated website to render badly, get frustrated trying to find what I want, get up to find a staff member to order something but with X instead of Y please if that's possible, can I pay with cash, etc etc etc.
Clearly, everyone's needs and experiences are different. If you like QR codes in cafes, fine, but we should recognise that they represent something other than supposed 'convenience'. They are there to gather data, and to allow cafes to hire fewer staff. They represent the creeping invasion of privacy in every possible aspect of life. The fact that cafes may want to hire fewer staff masks the issue that an increasing number need to in order to survive. Small business margins are squeezed by unreasonable costs and shrinking profit margins, and these pressures are instinctively passed down to the customer -- you and me. Rather than mindlessly capitulate to this and encourage the one-way downward spiral, I really would hope for communities such as HN to see opportunities to 'disrupt upwards'. How can businesses resist exorbitant rents? Why are our lives so hectic that talking to a waiter is seen as too slow? Why do we give away data without being an eyelid?
These menu websites obviously track the living hell out of you and now they can tie restaurant food preferences to everything else they have already gathered.
A waiter recording your order is at a completely different, much smaller scale. Additionally, the waiter is an anonymizing wall between the system that records my order and me and will only correlate orders across multiple visits to the same restaurant. Not potentially across single visits to multiple, geographically highly separated, restaurants.
The waiter inputs your order to their point-of-sale system, which can do similar things as an online menu. If you pay with credit card, it's tied to your identity and will be used for targeting ads.
They may record what I order (although the cafes and restaurants I go to use pen and paper or just plain-old human memory) but that's it. Even if they enter my order into some system for analytics or what have you, there's no cookies, no tracking, no transparent pixels, etc.
Look, all these micro-arguments about the micro-invasions of privacy are 'bread and circuses' [0]. We've entirely lost sight of what it means to be a private citizen just going about our own lives without every nanosecond being tracked, without every damn interaction being an opportunity for someone to skim a cent. Any micro-invasion can be 'justified': it's more convenient, I don't care about a restaurant chain knowing what I've ordered, I don't want to talk to other people, etc. But they all add up.
Societies are increasingly unhappy, anxious, overweight, polarised. The gap between ultra-rich and regular citizens is widening. It all adds up.
Yeah.. old man, cloud. Whatever. The overall evidence is stark and obvious, it just hides in the tiny details.
Might be nice to have but its also expensive in a low margin business. Maybe waiters get paid like crap enough for it to not matter in the US but other parts of the world have labour laws to abide to making it the biggest expenditure (and thus the one to save on by cutting out staff and replacing it with an app)
Low-margin businesses have you order by the counter and then the food is either delivered, or you pick it up yourself.
The app isn't there to improve on this. The app is there to maaaybe cut a little bit of hassle with replacing paper menus, but mostly promises to improve the business analytics site and creates many marketing opportunities, including but not limited to screwing with (er, personalizing) recommendations, creating incentive structures, and better tracking thanks to tricking the user into giving the vendor their phone number and bunch of other data.
And, whatever else on top it is, one thing the app is not is an improvement in convenience or experience to the user.
Have to disagree with this. At a group meet-up where everyone arrives at different times and wants their order to come shortly after they do, a digital system is so much better. These type of meetups are quite common as a parent.
> where everyone arrives at different times and wants their order to come shortly after they do
Good god man!
At a social meal, we eat together; children included as this is how they learn to socialise. One would be a little concerned and puzzled if arriving for a meal, one finds others have already eaten.
As another commenter said, this is probably partly down to cultural expectations. The ideal would be to sit and eat together. In reality, one family might get held by up to an hour because their baby napped later than normal; another family is half an hour late because of traffic; another family had an nightmare nappy blowout situation and has to go back home for new clothes etc... . Being relaxed about arrival times is less stressful all round. The children will still socialise with each other in the overlapping times they are together.
>children included as this is how they learn to socialise
Ummm... When was the last time you were out in public? I hate to break it to you but this doesn't happen, ever; if I see a kid in a restaurant they are pretty much always watching iPads. If they aren't watching an iPad they certainly aren't learning to socialize, because iPad-less kids in restaurants are almost always allowed to misbehave and be disruptive or even destructive.
Spoken clearly by someone who lacks experience with having children.
Look, it works pretty simple. Witching hour is right before dinner time. Kids are grumpy / hangry (hungry + angry). On top of that, young children have a short attention span and patience. Children certainly can socialize (after toddler age), but while sitting still at a restaurant table? Not for long. A tablet or smartphone is a tool to keep them distracted during waiting. Heck, playing is learning too, so it is IMO a learning tool.
That said, I can recommend a family restaurant.
For example, on vacation to Texel we went to this one [1]. I have not even seen the indoor playground (only outdoor) as the two times we were here the weather was great. Tons of children playing, the picture you see of the outdoor playground is not even 20% of the whole playground. It is quite large, with a special area for toddlers.
Moreover, we went to a family friendly bungalow park with activities for children, and the restaurant on the park (we didn't go to it this year but previous year) has an adjacent playground. If you're on a more tight budget, the same exists for camping.
Do children socialize on playgrounds? Toddlers kind of don't. They're still in their own world, at best they play 'parallel'. After toddler age? Absolutely. They form new bonds, become friends, they play together. They also get into conflict with each other, which forces them to learn conflict solving skills. They practice motor skills and build muscles. But I couldn't leave them completely alone, so I stayed in the vicinity. Hence, I did not socialize (which, as autistic as I am, I do not mind :P).
On top of that, I remember going to McDonald's as kid in the late 80s (it was one of the first McD's in my country) and they had a playground with balls in it. Also great fun. For the record: I did have a Nintendo game watch and Game Boy back then. But in the McD's such wasn't necessary.
And finally, to all those people who claim they want to socialize with strangers they visually meet. Yeah, that is why people sat on banks reading newspapers, why walkman and discman existed long ago already, why the hairdresser has magazines, why trains have a silent area where you can read a book, etc. Let's face it: not everyone is an extrovert.
Here's a hint: Eating at a restaurant is not like eating in a school canteen. And it's not about stilling your hunger. You can eat in any order and pace that you prefer. So if people arrive at different times, you can share some starters while waiting for the other people to arrive. Then jump into some main courses when everybody is ready.
You're not supposed to arrive hungry to a restaurant, then you are doing it wrong. It's not about filling your belly.
> you can share some starters while waiting for the other people to arrive. Then jump into some main courses when everybody is ready
True, and that does sometimes happen, depending on the situation. But still, this is much easier to do when you don't have to flag down the waiter everytime you want to order.
> You're not supposed to arrive hungry to a restaurant
Not if it's fine dining and I have low expectations about portion sizes. If I'm going to a "fast casual" restaurant like Nandos then I will arrive ready to eat. I dunno, maybe you're not classing that as a "restaurant" ?
P.S. "you are doing it wrong" is kinda moralistic! I respect that some people still prefer to speak to human beings when getting service, but cultural processes are always changing and adapting to new technology.
Yes, I'm a bit moralistic about this, you're right. I think eating at a restaurant is a skill that a lot of modern people are not taught. It's not about eating, it is about socializing – unless you're going alone. Portion sizes have nothing to do with it, because you can order more food until you are satisfied.
Or, if money is tight and you really don't want to order more than your main meal, you can always have a bite at home before going out.
It's also possible to train your resistance to hunger, so that you can stand being hungry for 12 hours easy (let's hope service is not that slow). The way to train is to skip your meals during a day and wait until you become extremely hungry. Then just don't eat and after a couple of hours it passes. Do this three times on different occasions and after that you are trained for the rest of your life, and will never again become frustrated or desperate because of hunger.
Ok cool that it works for you, but many don't have the time and patience to wait for the waitresses. Especially when I'm with kids I just love to go to these places where I can just directly order stuff to the table using my mobile. The extra stress of waving and communicating to the waiter is gone.
I think that works out if you are alone, if you are with other people, the waiter will probably interrupt the socialization you are doing with the people you are with, causing stress even for the waiter.
Also we should recognize that the waiter is often looked down at, it is not a very nice job, and as a human being, having a poor experience with some customers will probably pass on to other customers, etc...
I'd go as far as having a job with "wait" in the name, and having to wait, calmy and happily or else you don't get your tip, is not so far from slavery.
Having a waiter come over for ordering causes stress? The whole point of going out for drinks or food is not having to prepare it yourself and having someone else do the dishes. Depending on the venue getting waited on is a feature, not an inconvenience.
If interacting with the people facilitating that is stressful I would recommend finding a bench near a vending machine, having someone else in your party handle the interaction, or, not going out.
Is this just an issue in countries where waiters depend on tips for their income?
The food is still prepared to restaurant standard and brought out by waiters. The dishes are still done by someone else. You just skip the awkward, inefficient, and disruptive step of the waiter coming up to your table (or worse, having to flag them down) to order, order more drinks, ask for the bill, pay for the bill, etc...
Absolutely disagree with this description of the job a waiter does.
A waiter orchestrates and coordinates the experience for the diners they are looking after.
They slow down orders to stop the kitchen getting overwhelmed.
They upsell on the menu in a way that is helpful and informative.
They understand the dietary requirements of guests.
They hold complex orders in their head and drop the right plate to the right person.
They know the flow of a table and engage or back off as appropriate.
Don't undervalue a role that can make a night out magical or a simple coffee memorable.
Slow and mostly self-serving service is a FEATURE? Sounds like stockholm syndrome to me. Its easy to socialize with a decently fast waiter. Bootlenecks are just that, a reason to avoid the restaurant.
The experience is as, if not more, important than the result for most things. Leave that for assembly lines (and even that is debatable)
If you want peak efficiency order caffeine powder from Amazon and snort it, it's going to be much cheaper and much more efficient than going to a coffee shop
Much like how widening the I-405 does not improve Los Angeles's legendary traffic jams, slabnus do not improve the bottleneck.
Namely, restaurants who move to slabnus simply get rid of the waiters who would have taken the order. You're left with even fewer waiters serving food and drinks, let alone taking orders.
The coup de grace is I don't even get a discount for the degraded service.
Note: Slabnu because I'm pecking at a slab of silicon instead of a proper menu.
> The coup de grace is I don't even get a discount for the degraded service.
It's like self-service checkouts: the store gets to save on stuff and get their customers do the store's work instead, and we don't even get a discount for that free labor and more time spent in checkout and degraded experience.
I will gladly do the work myself if it means not being stuck behind people chatting up the cashier or doing complicated coupon/return/exchange/gift card transactions. The value is in the consistency and predictability of time spent for someone who just wants a single bag of onions or a single T-shirt. If stores had no-BS lanes (more than just "X items or less" lanes) operated by human cashiers I would use that too, but I suppose we as a society consider it as impolite or bad service, so machine checkout it is.
> The value is in the consistency and predictability
"Consistency" and "predictability" are not the words I associate with self-service checkout. Maybe I'm spectacularly unlucky, but almost every time I use one of these machines with more than 3 products, the machine will get confused about the weight, or decide to randomly check me, or find another reason to lock up and have me wait for a clerk to show up and unlock it, which takes anything between 1 to 5 minutes. And I'm not the only unlucky person, either - I see it happening often enough to others, which usually reassures me that I made a good call standing in the queue for the old-fashion human-operated register.
That's still a lot more predictable than my human cashier experience. I wish I didn't have to dread being held up by the only cashier in store holding a riveting conversation with 4 groups in front of me. Will the other groups hold up the line too? I guess we'll see!
- you are ordering food and drinks, speed is not essentials, if you're in a hurry you don't sit down in a diner/restaurant
- you assume that everything on the menu is perfectly clear, but what exactly is that thing with the mysterious name? (for example peri peri fries means nothing to me) you can ask to a person, not to a PDF
- you really want X but you have food allergies or some other dietary restriction, again you can ask that to staff, not to a web site
- most importantly, you're assuming that waiting is generally considered an inefficiency, that should be addressed or fixed and that should be the goal of every place serving food and beverages, while it usually is the moment were people sit and relax and have a little chat, it is called lunch break for a reason, isn't it? It's the generalization of XKCD #303.
p.s. in my experience in places that use QR code menus orders are not served faster, actually the opposite is often true.
> you are ordering food and drinks, speed is not essentials, if you're in a hurry you don't sit down in a diner/restaurant
Honestly if I received poor/slow service and management came back with this I'd be pretty upset. Especially given a large number of places have an explicit service charge or there is a cultural expectation that this should be paid extra for.
You're either trying to solve the problem of service or you're not, it's binary.
>> you are ordering food and drinks, speed is not essentials, if you're in a hurry you don't sit down in a diner/restaurant
> Honestly if I received poor/slow service and management came back with this I'd be pretty upset.
Plenty of places will tell you not to expect fast service for certain dishes or drinks. If you order a cocktail at a bar and complain when it arrives after the cola, you'll raise eyebrows.
The confusion between you two in this thread may be partly due to the conflation of 'slow service' with 'poor service', they're not necessarily the same. Sure, if I ordered a cola and was still waiting after the table next to me received their 5 different cocktails, something would have gone wrong.
Here's a fun story. The other day, I was in Belgium. We ordered food at a restaurant. While we were waiting I had a beer, my partner had a negroni. We waited... and waited... and waited. Other diners arrived, ordered food, their food arrived, they ate it. And still we waited.
After a while we asked a waiter if our food order had got lost. They were apologetic, and pointed to my partner's still-unfinished drink, but said they'd get our food out ASAP. The food arrived rapidly (it was delicoius).
What had happened? Well, a negroni is an apéritif, so is drunk before a meal. The staff hadn't been inattentive; quite the opposite -- they were waiting for the apéritif to be finished. Serving the meal beforehand would have been... rude? Undignified, perhaps. And certainly something that all the other local diners would have been well aware of.
Sure, it was a leisurely situation, nobody was in a rush, this isn't a daily occurrence, blah blah. Anwyay, I learned a thing about apéritifs. Cultural heterogeneity is educational and enriching in a way that QR codes and social isolation are not.
I'd amend that to being confusion between the accepted norm of service vs poor service. I'm fully aware that there is breathing space in a service, it's not a conveyor belt.
Your anecdote is nice. I think another thing to recognise is everyone has different expectations around service time and availability of service. The great thing about some of these systems is you can choose, the one I helped implement is there if you want it, if not your table falls back to classical service, and best of all there are of course still staff around to talk to if you need.
> You're either trying to solve the problem of service or you're not, it's binary.
Do or do not, there is no try
They are trying indeed, if they succeed or not is a completely different story.
The point is: throwing a QR code at your issues won't solve your issues.
> Honestly if I received poor/slow service and management came back with this I'd be pretty upset.
I don't understand what you mean, it's probably that I, as a non US citizen, don't understand why people should sit down and enjoy a meal while also being in a hurry, there's no management involved here, it's just my opinion.
if I'm in a hurry I'll buy a sandwich or some pizza slice (it has a kinda different meaning here than in the US, but to get you an idea of what I mean)
> The point is: throwing a QR code at your issues won't solve your issues.
I believe this to be (generally, but with exceptions) false. On one of my contracts I worked on solving this during covid for a large restaurant chain, they still use the QR system today and there are clear and concrete metrics that tell the story of large improvements to service.
> don't understand why people should sit down and enjoy a meal while also being in a hurry
You're hyper focused on the ideal situation. You can not be in a hurry and still receive a level of service that makes you feel uncomfortable with the service charge/cultural expectation of the tip for this specific service.
> there are clear and concrete metrics that tell the story of large improvements to service
Covid is the most disrupting global event of the recent human history I bet it had a quite larger impact than a simple QR code, assuming what you say it's true.
> You're hyper focused on the ideal situation
Am I? I know that for a diner to serve me at a table it can't take less than 20-30 minutes or I am eating literal dog shit and I honestly don't like dog shit, regardless of the service I am receiving (or worse: I am making the staff uncomfortable by asking them to be quick because I am the one who's in a hurry).
It means in total it will take at least one hour, if I don't have that time available I simply do not sit down in a diner.
It's as simple as that, the ideal condition it's a dinner that usually takes from 2 to 4 hours.
The 10 seconds saved on a QR code assuming that the QR code really saves time it's irrelevant at that point.
It is possible that different cultures have different ways of understanding 'service standards'.
> expectation of the tip
You're hyper focused on your own bubble, in most of the World tips are not mandatory nor common especially for a quick lunch break.
And still your answers do not address the larger picture: the staff is there to help you, not to serve you in the as a servant way. They shouldn't, in my opinion, be considered like minions executing what the machine told them to do. That's what Fritz Lang warned us about in 1927.
But even assuming that the QR code saves a lot of time, good staff can go a long way, a fast self-service order system where you wait at the table because the place is understaffed it's a worse experience than an understaffed place where at least a real human greets me asking what I want to drink, before taking my order.
I mean, yeah.. You've even done it again. Outlining situations with perfect service. That's great, now think about the original problem statement where service becomes a bottle neck, and no "if you want great fast service just go elsewhere" is not an elegant solution, sorry.
Are you implying that QR code solutions are optimal for shitty services?
> where service becomes a bottle neck
this is a textbook example of false dilemma. If service is the bottleneck making the ordering process faster will make things worse, not better.
If anything if a place is slow to take orders, I know they'll be late on serving it I can anticipate the problem and go somewhere else, if I already placed the order now I'm stuck.
It's the same things happening at McDonalds with ordering booths, your order is very fast, the service is not and you end up wasting a lot of time in line waiting for your number.
As one of the error pages of this website states Please stop hammering. It makes the problem worse.
Thanks, but no thanks.
You're also contradicting yourself here
> where service becomes a bottle neck
> "if you want great fast service just go elsewhere" is not an elegant solution
The "service is the bottleneck but please stay here and wait until we serve you who knows when, after you placed your order" is much worse.
At least with staff taking the orders they can straight tell you "we're full, there's a wait list" or warn you that that day orders are being processed more solwly than normal and you can decide what to do.
QR code machines will place orders no matter what, but, again, people are not machines and quality has its merits, more than speediness, In my opinion.
> this is a textbook example of false dilemma. If service is the bottleneck making the ordering process faster will make things worse, not better.
I’m sort of at a loss for words, I haven’t posed a dilemma, also do you think a server exclusively does one task and nothing else, or is it more fair to say they do multiple and eradicating one task frees up capacity for another?
As I’ve said I’ve seen the efficiencies first hand, and I gain nothing trying to explain them further at this point. Enjoy your day.
Edit for the below reply: apparently I’m a liar too? Super rude and highly disappointing. Systems like this have been rolled out in thousands if not millions of restaurants, apparently for no good reason..
My wife owns a restaurant that has been her family business for over 70 years.
You clearly have never even been near one and think that you can fix problems that have nothing to do with tech with technical solutions, it's like believing that you can solve the fertility crisis with Tinder.
I recommend you to read something about τέχνη.
Good luck my dear friend, you'll need a lot of it.
Hey now, there'll be a startup that promises to bolt AI-powered robot arms to everything, can only cook licensed "Verified Recipes" and will be bleating "we just need more data bro, 6 months more runway, on my mother's life" until they go spectacularly bust at the end of their "journey" having never cooked a single meal.
Tech "fixed" that with frozen food, fryers and microwaves. Ordering on your phone a microwaved industrial meal is a consistent user experience. That's ok for fast-food but not something I'd enjoy at a cafe or restaurant.
That is always the worst experience. The most painful apps always require you to spend another 7 minutes after installation; typing in and verifying your credit card information... That has to be the most convoluted paying experience.
I was almost shocked when I rented a Hertz car (via IKEA), that everything was done through a website. The website asked for permission to use the phone camera to take pictures of the car etc. and off we went. Such a good experience compared to fiddling with a new app..
The best implementation of QR code menu I've seen was as followed. There was a paper menu but could also order from QR. It was a well designed page to choose from, but the wait staff was still there and took order. We had the option to order from QR if we wanted. When they entered our order, the page (linked to our table through custom QR code) updated with our order. We could add items at any point or we could "call our wait staff" who would then come to our table. At any point we could just pay our bill and walk away. It was the same feeling of using an uber for the first time and just walking out of the car and not worrying about paying the driver.
One of the restuarant chains mentioned in the author's post (Social), is an extremely crowded pub during the night and for the rest of the time, a place where freelancers or remote workers come in to work and socialize. At least that was the case in Bengaluru,India before Covid.
I would say that from the restuarant's point of view, having the order-from-app experience works out since the freelancers can order via their laptops whenever they want, without having to flag down a waiter. And during rush hours, tables could order what they want without having to spot and call a waiter among a very drunk dancing crowd.
Will call you old fashioned for that. I recently went to a restaurant with a large group of friends and they used toast tab for online ordering. The experience was much better than ordering in person. Each family was able to order and pay for themselves. We could add extra items to our order whenever we wanted.
Without the app I would've had to keep an eye for a roaming waiter, call them out and then place an order. This takes away from the dining experience. I also don't like to wait for the server to clear plates, take the card, swipe it and get it back. The old fashioned ways will disappear for good.
Same here. I am even reluctant scanning any QR code and taking me to random web pages connecting my phone - and since phone is an extremely personal device, pratically an ID, so myself - to that place and time. I am not a fan of being traced, surveillanced more than avoidable, especially not fan of triggering it myslef. Giving away additional dat on myself on top of that. No thank you. And this is before considering the system exploiting the vulnerabilities of my device, insted of the other way around shown in the writing. I left a place because of their QR code primary order system. Waiters came around taking order the old fasioned way, but only in the gaps of serving the QR orders. No thank you.
Some apps are brilliant though - Wetherspoon pubs in the UK (despite not at all being the height of dining) have an app that works really well, I don't think I've ordered at a person there for at least 5 years.
Completely agree. And it also allows opportunities for customization. Custom paper, cutting, presentation etc. Whereas on the phone, it's usually just a PDF or some responsive website.
A real waiter also allows for a human connection to be created. Experienced waiters (rather than part timers) can really help you make an order, give you recommendations etc. which makes the experience of dining out much nicer.
Unfortunately the implementation that most Western countries took is pretty terrible. One of the highlights for me in China is the lack of menus in restaurants, I can still ask the staff questions if there are any but its nice being able to order add-ons throughout the meal without having to wave someone down.
You're right, you are old-fashioned. I love order by phone. Any amount of time I'm sitting at a table trying to get a waiter to notice me and come by just feels like agony. Let me tell you exactly what I want, exactly when I want it.
Yeah fortunately that's pretty unique to the US. I will never forget when I asked a waiter in Chicago where the loo was and he led me to it. Super weird.
Completely agree. I'll tolerate PDF menus if it's a really good restaurant, chances are I already know what I want anyway. If they ask me to install apps on my phone I walk out.
I have been to restaurants where they bring you a tablet that you keep at your table. It has the menu and everything on it. You order what you want from it, food or drinks, at any time and a waiter brings it to you.
I found the experience better than ordering from a waiter and better than using your own phone.
I've told that chains in China have now replaced this last bit "a waiter brings it" by a little robot.
A good server is an emissary from the kitchen, who knows the menu, and helps you find the best dishes. A great server establishes rapport with the regulars, anticipates their needs, makes them feel welcome and comfortable.
Unfortunately "server" is not considered a respectable career but something you put up with before your film career takes off, or how you pay your college tuition for that juicy psychiatric nurse degree.
So nobody can be paid enough, or retained long enough, to care about customers or the food. So 25 years from now, the best server will be a Roomba with a prominent QR on its back.
Yet in the US, due to tipping, it can be (and generally is in most more affluent areas) considerably better paid and lucrative than pretty much anywhere else.
Also I'm not sure what are you saying is generally true at all in most places (unless we're talking about a specific subset of restaurants).
As a fully capable person I can't stand being waited on. For me the peak ordering experience is I choose an item from some written menu with prices on it, ask for said item and pay exactly the price written on the menu. Then I either take item immediately or come to collect it later to take it to the table myself.
When I want to leave I just get up and go without the stupid ask to know how much I need to pay then ask again to actually pay with expectation that I pay more than what was asked like it's my choice to pay but really it isn't.
Ah yes the peak experience is having to wait 10 minutes and catch an extremely busy person's attention just so you can order.
Most of these ordering systems (at least the ones that have survived COVID) are pretty good websites now. I don't remember ever having to use a custom app. It's a far superior experience.
(Oh yeah and I guess you may be American and have a very different eating experience to the rest of the world where waiters don't live off the arbitrary generosity of customers.)
Not to be a party pooper, but posting detailed financial analysis of the exact sales data of a multi-million dollar business using numbers obtained through an obviously overlooked backdoor seems like a very bad idea. Haven't people have gone to jail for less? (iirc "but it was an insecure API" has not held up in court in the past)
On a more positive note, I've used a QR menu recently and it really is a game changer. Scanned a code, pressed a few buttons, and my food was there in minutes! Looking forward to seeing it more often, especially in places where you're not looking for stellar service.
> Looking forward to seeing it more often, especially in places where you're not looking for stellar service.
I loathe them perhaps even more than I loathe the order-kiosks that McDonald's has rolled out. My phone is smaller than the folded napkin, I would rather not have to scroll to examine a menu.
Regardless, a restaurant should think twice about outsourcing this kind of thing to a 3rd party that now has all of your (and your competitors) financials. Even if the API is better vetted, why would you trust this faceless, profit-motivated site with your data?
"Convenience" seems to be the way they market "getting rid of employees" these days — from self-service gas, self-checkout lanes, etc.
I'm interested to know what the correct way to report this would have been? Specifically in this case. And what would one expect after reporting it? I've found many things like this and I only reported two (Genius, they said thanks) and Amazon (they replied but ultimately ignored it, and the issue is still there today)
First thing I would do is look for a security.txt file or search to see if they operate some kind of bug bounty. Failing that, I would browse their website or search for contact details (or even just a contact form). WHOIS can be useful for this. Ideally you'd want some kind of security contact, or a technical contact, but other times you have to make do with the general contact email/form.
In this specific case, they have a general email address at the bottom of their privacy policy, so that's what I'd use.
I'd send them an email along the lines of "I found a security issue with your website; how would you like me to report it to you?". Then they'll hopefully put me in touch with the right person.
In terms of what I'd expect… If they operate a bug bounty (which they don't in this case) then I'd expect what's on offer. If not, it would depend. I often don't expect anything. There have been businesses I've disclosed security vulnerabilities to that are shady enough that I've refused the reward they offered. Sometimes I don't want anything to do with them.
From technical standpoint, I find the details interesting. However, this irresponsible disclosure of vulnerability troubles me. I am guessing that last year, Indian government has passed the bill of PDPA (https://www.meity.gov.in/writereaddata/files/Digital%20Perso...) if I am not mistaken. Even though irresponsible disclosure of vulnerability is not explicitly mentioned in this Act, but I am pretty sure that such irresponsible disclosure are enough for the author to land into trouble.
Leaving PDPA aside, as a Software professional I find this act kiddy and unethical. 10 years back I found a major vulnerability bug in an major multinational bank where I was able to see monthly statements of any person. I reported this to the bank and they took approx 1 year to fix that. I did not even mention about this bug to my friends or my CV till it was fixed.
Understandable in this case. But if the playground is of a developed nation (like US, Canada, Singapore, etc.) then unlikely that kids would be playing.
In India, personal data is not yet taken seriously with both educated and un-educated people. It would take some time but I believe this realisation will come over time in people.
And to add that he tried out the exploit on unknowing participants. It would be better to try this with a friend in-the-know at a separate table. It makes me think he did it more as a practical joke than testing his exploit, especially because he mentioned they were "not-too-intimidating-looking guys".
I'll admit it is a bit funny and the damage caused is tiny(just the price of the food). However, things like this do harm the reputation of bug-bounty hunters.
He could have just tried it on his own table (order on the phone, and then on the laptop through the vulnerability) and avoid having to a) bother others, b) waste food. The result would have been the same.
The author says "I refuse to believe they’re unaware of this. This doesn’t feel like an oversight, it's either a deliberate design decision or they just don't care." Agree that this is an uncharitable way of looking at it.
Its a justifiable worldview. I'm an Indian dev and I've seen obvious backdoors like these added to the backlog as a low priority bug. If somebody spends time on this, that means features are being delayed and you are rewarded less.
I've worked in lambda web editor (not in Git) and my lead considered replacing sql injection with parameterised queries was a distraction/insubordination. Cant wait till audits, data breach insurance and imprisonment becomes the reality.
I don't mean to pick on your comment, but to respond to a prior comment, you are beginning with a very positive world view and interpreting the events from there.
Lazy API that did not vet a simple backdoor?
Good coders but accidentally pushed the debug version of the API?
I am going to have to say the second option feels less likely (yes, I have been called cynical).
> Because who at the "company" does even know about this?
Everyone who designed engineering requirements, technical requirements, test plan, everyone who wrote technical specifications, everyone who performed traceability. It was all approved by security engineers and management.
> The company was founded during the pandemic when contactless dining became popular.
There were tons of people intimately aware of the issue, yet for four years nobody cared.
Who says it was? Why would they willingly give out their customers' and customers' customers data to any anonymous person or a bot?
More likely a bad oversight
This is “the tire shop doesn't have a torque wrench” level shit. If it's an oversight, it's an oversight due to incompetency, not because a good team just happened to miss something in a crunch. Another possibility is that the issue was raised and management said to fix it later, and because software “engineering” isn't a real engineering field that holds its practitioners to any duty of care, those responsible (the engineers) just went along with it.
For 3 years? That would mean that no developer has ever raised these issues with management, to speak nothing of an actual pentest being conducted.
No, this is not some obscure security hole they forgot about. This is plain incompetence and/or deliberate design decisions.
I agree that full public disclosure like this is irresponsible, but exposing issues like this to the public is the only way for such companies to make a change or, preferably, lose business and shutdown.
Because they don't care, and their customers don't understand any of this shit?
It feels like the usual case of vendors buying service to better exploit the users, and themselves getting burned and/or exploited by that service too.
Yes! You as a user are not meant to knowingly access data that does not belong to you. Even something like changing the id from 1 to 2 is legally considered unauthorised access.
It would be different if for example the application was showing data for other customers through normal use of it, but even if there is no other barrier to access than changing an id that is considered bypassing access control and can result in jail time in most places. Now I'm not an expert in India's computer misuse laws but I am willing to wager they are not the most progressive when it comes to this kind of thing.
If you discovered an incompetent healthcare provider was prescribing antibiotics for every condition would you "contact them privately" or contact the relevant authorities?
Private disclosure is for when you believe the company cares about security but made a genuine mistake. For the company in the OP it would be more like free education in fundamental privacy and ethics. They're not entitled to that. Name and shame.
Sure, but what you’re describing is not what is being suggested. Responsible disclosure typically involves disclosing publicly after a reasonable period of time.
Why? Why should they be the responsible ones, when the well-funded, well-connected service provider is acting like the fly-by-night startup (that they probably started as)?
There's little public benefit in responsible disclosure here; all it would lead to is the whole thing being swept under the rug with some trivial "fix". There's lots of public benefit in immediate, wide disclosure - the scramble to fix this under pressure from vendors before potential abuse, and any real or imagined attempt at abuse, and subsequent lawsuits, would go far towards educating people and the industry about privacy, security, and bad business practice. It's a nice low real damage, high publicity case.
It's not like this stuff is new. But without serious pressure, the businesses will never learn and never stop making or enrolling into such systems.
Anyway, if it happened over here in the EU, I'd do the responsible disclosure thing and give a full, detailed advance expose to the local Data Protection Authority.
(And if I sound adversarial, then consider that neither the vendor developing such systems, nor the venues using them, are doing it in the interest of the customers.)
There's a big difference between announcing "I found all this private data" and "I found all this private data and here's exactly how I did it and here are the URLs". What the author has done is detail exactly how anyone else can abuse this system from anywhere in the world and also given them ideas about what to do with that information that would cause a direct cost to the company. I think that's irresponsible and unnecessary. You public disclosure rationale has some merit but it didn't require publishing the user manual for the attack. Just saying you used the API, publishing the amounts plus some proof of private data from people who have given consent would be enough to get the business scrambling.
This seems less like a "manual for attack" and more like tweeting that your local storage unit rental never puts locks on their garages and gates and "anyone could just walk in and out".
To expand your analogy can you see the difference between:
"A storage unit I know of never uses locks"
and
"The storage unit at 1234 Central Boulevard, San Andreas never uses locks, just wiggle the door a bit and it'll open."
I think most people would acknowledge there's a big difference.
That's not the same though at all.. A closer analogy would be publicly announcing that "Company managing the storage lockers 1234 Central Boulevard, San Andreas is keeping all of them unlocked without telling their customers".
Which would still be wrong but you're implying that the business is the victim here when it's the complete opposite.
In the EU this would be illegal and (hopefully) lead to very high fines. So why would you try to help and conceal their criminal behaviour instead of reporting them?
Of course in other places, there aren't really any good options. So I guess the most "moral" approach would be to what you think would cause most financial damage to the business and discourage people from going there.
Right but would you afford the same opportunity to the healthcare provider? You'd contact them privately and expect them to go and learn why over prescription of antibiotics is a bad thing and change their ways? Of course you wouldn't. You'd go to someone who cares. In healthcare there are ways you can report it without naming and shaming publicly, but how could the author do that?
Most likely the company will blame them for trying to help. Also, if the company is so incompetent that they allow this why bother. He's not getting paid to be their test engineer.
This is why security researchers (threaten to) release this kind of information publicly. Reporting security issues doesn't fix anything until other people learn the details.
I like to scan the "specialized" bar/QR codes I come across in my daily life in case they're not just URLs. Sometimes I find some interesting stuff and possibly some opportunities for mild exploits.
The other day I was at burger king. They allow you to refill your drink as many times as you like within 60 minutes of purchasing it, and the way this restriction is implemented is by having you scan a QR code they print on your receipt at the drink machine. I scanned the QR code with Binary Eye (android app that reads all sorts of barcodes, highly recommended). It contained some numbers I couldn't immediately recognize as interesting, a timestamp in a format similar to 202409231049, and a UUID.
Now, the UUID is probably the ID of the order in their internal system, so the question is: does the drink machine only read the timestamp or does it also use the UUID to query the internal system to re-validate it? Can you craft a QR code with the same data but change the timestamp to achieve for infinite refills?
>Can you craft a QR code with the same data but change the timestamp to achieve for infinite refills?
I'm hoping nobody is this naive to let your client have mission critical info to implement something as crucial as giving a discount or refills in your case. It would be just be an extra column in your db table, the only identifier available to the user should be just the UUID, along with some identifier.
I don't think this is that critical; if you stay there long enough and regularly go to refill your drink or come back the next day and make a beeline for the drink machine I think the staff would notice something's off.
I almost got into big trouble at school for "hacking a teachers email". I guessed their email address (they were systematically generated) and sent an email. It's true you can get into trouble for this, but we need to all take it upon ourselves to make sure this doesn't happen. If this guy got into trouble I would hope every software engineer would be up in arms defending them.
It's not as simple: if you accessed something simply because it was badly protected yet you were obviously not supposed to access it, it's more of a grey area. I mean, imagine an uber-hacker for whom many a network is trivial to break in: they can always argue how it was insufficiently protected.
You accidentally stumbling on something unprotected generally clears you from any liability as long as you stop as soon as you notice it.
Code of conduct for white hat hackers is to explore but not abuse, and report as soon as they have enough clarity on the issue. But there is no legal basis for this avoiding any liability except if a company runs an official bounty program.
In that sense, the OP author could face hacking charges if India has similar laws to the rest of the developed world, and the author doesn't even have the "well intentioned" for their defence since they never reached out: the only defence they have is they did not attempt to profit off it.
Nah I better err on the side of caution with this - plenty of examples in history where life’s were utterly destroyed even though every sensible person was ok their side - snowden is just one extreme example but there are many others.
Eh it was not just that, weev obviously had evil intent. (I wonder what's up with him now, last time I read his blog, he was posting neo-nazi posts from Ukraine)
reminds me of this Aussie cleaning company's website that forced you to create an account to take an order.
With a couple of clicks on the web app, you'd encounter a bug... and then you can see every single person's orders, email, and personal addresses. And it was my partner who discovered it (she was struggling to order service through the website bc it kept failing).
Oh and they also never charged us for service despite multiple emails asking them how we should pay (somehow we were able to order service through the site but never paid?)
Probably depends if the cleaning company is bringing meals because it's an extra service they provide, or the place is such a mess they they think the customer deserves some charity?
Now, that went rogue quite fast and easily. I still find it confusing when some dev opt for the "let's not think about security, tokens, POST requests and whatever".
I am sure some companies using that service will ask for more closed doors before everyone can lookup their revenues. That's one big example of a non technical vulnerability based on a 101 technical principle.
> Next time you're at a restaurant that makes you scan a QR code and enter your mobile number to order, I want you to remember that random strangers on the internet are looking over your shoulder and watching what you're eating.
Isn’t this just sample size one? In other systems this information can be passed securely and not leaked later.
Let's not forget though that these systems aren't made to make your ordering experience better (they do the opposite) - they're literally made to make it easier for more "random strangers" look over your shoulder and watch what you're eating. Strangers working for the vendor, working for the QR-menu solution provider, working for various marketing companies, etc.
I know that Indian companies might not have a bug bounty program but you should get paid for finding such a big vulnerability
And their CTO should take some blame for this.
On the other hand, I agree with other comments that posting the whole financials of a company does not seem like a good idea
PS: I really like your writing style. Subscribed your newsletter
The api is still up and they still haven't done anything to remedy this. Like, that should be your first priority, first send an email to your customers apologizing for this and then start working on it.
Yikes.
As one commenter on X(itter) said that the only way this company will think about fixing this is when another competitor who will gather all their customer's details and send emails to them to migrate to their service if they don't want their precious data to leak.
I was waiting for a "I disclosed the vulnerability and this is how they reacted" story arc but there wasn't one.
Pretty disappointed OP went this route.
The golden rule is to always disclose the issue and wait for them to fix it before you publish.
The only exception to this rule is if the company isn't acknowledging, responding, or communicating in any way. In that case you'd wait around three months, send a follow-up email warning them you'll publicly disclose the vulnerability, wait another three months, and then publish it.
> I checked on my laptop what other tables were ordering to get a quick vibe check of the place. I could've just looked around, but it felt cooler to do it on the laptop.
I think it would be great if you could go to a restaurant and they had this data available. Sure, some menus say "best seller!" but I don't believe them all the time. And tastes change, chefs, etc.
Yes. It was an article from someone who went into a café which had a QR code based ordering system. After ordering through the system they decide to open their laptop and inspect/look at the API of the system (a system apparently used across India).
They realize that the whole API does not use authentication or authorization and start reverse engineering it/trying out various endpoints. They can then do things like ordering stuff for other tables, calculate earnings of restaurants, etc.
They probably took it down because they disclosed it publicly directly instead of contacting that QR code based ordering service provider (which I won't mention the name of).
Given that this is a substack which has a newsletter, this article has probably reached many people before being taken offline.
There's a problematic but not critical personal information leak, a mild business intelligence leak and that's about it.
> They could keep this script running for months, even years, creating awkward scenes and uncomfortable conversations at every restaurant across the country.
If that's about the worst thing you can actively do, then it's only about the data leak.
No, that's the most inconvenience you can cause. There are worse things you can do: target specific people with spurious orders, cancel everything they order, or if you want add random items to every order, making the entire system useless.
people are underestimating the havoc this could create in a country like India. Imagine serving chicken at a table that is strictly vegetarian (many people in India are vegetarian due to religious reasons), will lead to a lot of outrage.
The website really seems to follow Google's best practices on human interaction: hide as much as possible.
If it wasn't so sad, it would be almost funny that their Terms & Conditions page errors out (for me). The whole page looks pretty broken and like the landingpage is an afterthought...
Anyways, the closest to a contact us is this what I found (after looking for 15 seconds and randomly clicking links) https://dotpe.in/contact-us.html maybe that helps to get in touch at least...
The fastest way to get in contact with DotPe would be to contact their biggest customer and informing them of this. They'd be on the phone with DotPe within an hour.
Good thing the APIs can be used to easily identify that company. /s
Looks like the article was deleted and purged from archive.org. I wonder if anyone saved a copy elsewhere?
From the comments it seems likely the author realized they may have accidentally committed a crime or at least done something that could cause real legal consequences for them and quickly destroyed the evidence. That's probably better than leaving it up but I'd wager it wouldn't protect them from any legal consequences publishing the article already made possible.
According to Twitter they removed it due to a legal notice from Dotpe, author still seems to believe he was just accessing public data unfortunately which does not look good for him should Dotpe choose to take it further
IndiaToday not doing this guy a favor using the word "hacker". Top bullet point: "Hackers accessed sensitive data...". Even the graphic at the top says "SYSTEM HACKED".
Yes, agree. at the same time, the company bears significant responsibility under the law. Their unconventional and insecure API implementation likely violates multiple provisions of the Act. They could face substantial penalties and legal consequences for failing to adequately protect personal data and implement appropriate security measures.
Well, this certainly is an interesting case of the abuse of servers to abuse servers. It’s almost teaching recursion.
Please no one write that random script… f*king up high cash flow but ultimately usually pretty low margin businesses like these, while also pushing the poor staff around in a way that costs them time and very likely wages is really, really, really bad karma.
this is fun because i can confidently say, "bureaucracy" runs on adverts. Whatever flashy, big banner photo op you can find, people lap that up. why? because of the immense population of india. EVERYTHING works here.
You can spend countless hours trying to break your application, finding holes but who cares.
Police cares about financial fraud. Did someone clickbait you into swindling money from you? well they will pounce on it because they will extract their cut from all involved and it gives them nice PR on the daily newspaper.
PII fraud or vulnerability, eh well. whose gonna notice? we have enough on our plates.
second thing. whatever government is doing, they protect themselves at all costs. they WILL throw you under the bus if it protects their interests.
why? because of the massive population, jobs are scarce, people get college degrees and stuff to pad up their resumes because employers, govt or private REQUIRE documentary evidence you did something. doesn't matter your skills,y ou have the papers or not.
this dotpe company, whatever its doing is indicative of the systemic problems in india. You have lots of people, lots of smart people, lots of dumb people and in the long run, bigger, cheaper, faster. that's all that matters
> I would have thought about privately disclosing these findings to Dotpe. But all the API requests are right there in plain sight...
There are pretty common ethical standards about disclosing vulnerabilities privately before disclosing them publicly. I don't see how the obviousness of the vulnerability changes the situation. By warning the company, you give them the opportunity to remedy the problem before announcing to the world that anyone with a laptop can exploit it. Probably they were just hoping that nobody would notice, which is stupid of course, but now they don't have the chance to build up a better wall before the flood of fake orders that could cause real harm to the small businesses whose financial information you disclosed online.
Perhaps I'm being too optimistic about how the company would respond, but I still think it's hard to justify not doing a private disclosure.
Adding to this, in some countries he is already past the gray-area to what constitutes as computer fraud.
Pissing off the company, whose systems you accessed without authorization, is one way of getting to experience the full force of the justice system.
Curious.
How is this, specifically, fraud?
The gist of some various laws around the world is that simply obtaining credentials does not authorize you to access the system, and accessing it without authorization is the illegal part.
This principle is clear if you apply a real world analogy. Just because you happen to have keys to a building doesn't mean you can enter without authorization from the owner. (E.g. you may have kept copies after a lease expires or a sale, it maybe you found them, etc.)
Considering it’s a API available without any authorization, the better comparison would be walking around on unfenced private land. There’s nothing to indicate they don’t want people on it but it’s also obvious it’s private land.
Walking around isn't usually a big deal until told to leave (verbally or by way of conspicuously posted signs), since that is a prerequisite to trespassing. Otherwise, delivery people would operate in a gray area which would be very problematic for them, since not all deliveries are requested by the recipient/owner.
However, although you are free to walk around in search of the front door, you can't start eating the fruit off the trees. Perhaps that's the better analogy: the trees are happy to serve up a delicious treat for anyone requesting something of it, but that doesn't mean the tree sets the rules. Just because fences preventing this are popular doesn't make them compulsory.
It doesn't matter. It's still just as illegal to get into an unlocked car or one with wide open doors without permission. The same premise applies to computers in a lot of places, access controls don't matter. If you access something on a computer not indented to be accessible, it's considered a crime.
Is it illegal, in fact? If a cop saw you, you'd be arrested and prosecuted for attempted auto theft, and your "I just wanted to see how comfy the driver's seat was" defense would ring hollow in court. But sitting in an unoccupied car without authorization isn't trespassing unless it's parked on the owner's land, and I'm not sure what other laws would apply to that specific act.
I get the unauthorized access argument.
But how does it become fraud?
Defeating access control by using credentials that aren't yours is fraud.
Like, if you found a company badge laying around, go to that office and flash the badge to the security guard and go in. You've committed fraud by tricking the guard into thinking you're authorized to enter when you weren't.
I see, thanks.
No credentials involved here, though.
TFA mentioned sending requests with a table number that the sender was not at. That is hardly any different from the idea of showing a badge that wasn't issued to you. The ease of spoofing doesn't matter at all, in the eyes of such laws.
The same could be said about typing any URL that wasn't knowingly supplied to you by the owner, but a "reasonableness test" in court would sort those out from nefarious activity.
The question a judge (or jury) would answer is: would a reasonable person think they had permission to access it?
API documented on the website under a section called “For Developers”? Probably, yes. API reverse engineered by intercepting requests? Probably not.
Note that the blog was taken down before I could read it myself.
Interestingly enough, the very lawsuit-happy nature of a major german party has "backfired" quite a bit recently. A security researcher was found not guilty of circumventing security measures or accessing authorized computer systems or resources without authorization, because there were no security measures or authorization on the API to circumvent.
Though note that this would not help one if one started to use or abuse the API to get free food or cause financial damage to a restaurant through fake orders. For example, ordering the corn soup through the API could really backfire if someone wants to present it as good old fraud or theft, or if the recipient of the unexpected soup got into trouble and started to look for someone to hand the damages to.
He is in India:
If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network
- (a) accesses or secures access to such computer, computer system or computer network or computer resource;
- (b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
[...]
- (e) disrupts or causes disruption of any computer, computer system or computer network;
[...]
- (g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
If any person, dishonestly or fraudulently, does any act referred, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.
====
Though, I prefer a lot the poster of the blog post than the company...
By the sensible definition, it isn’t.
By the definition that killed Aaron Swartz, it probably is.
He wasn't prosecuted for logging in and looking around. He overtly did copyleft type things like finding ways to take copyrighted journal articles and release them into the public domain. Overzealous prosecution for sure regardless.
https://en.wikipedia.org/wiki/Aaron_Swartz#United_States_v._...
> On July 11, 2011, he was indicted by a federal grand jury on charges of wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer.
> On November 17, 2011, Swartz was indicted by a Middlesex County Superior Court grand jury on state charges of breaking and entering with intent, grand larceny, and unauthorized access to a computer network.
> On September 12, 2012, federal prosecutors filed a superseding indictment adding nine more felony counts, increasing Swartz's maximum criminal exposure to 50 years of imprisonment and $1 million in fines.
The only civil copyright proceedings were JSTOR settling with him out of court.
I don't know Indian laws. But this wikipedia page [1] gives a list of types of computer fraud in the US under the CFAA:
Types of computer fraud include: * [...] * Accessing unauthorized computers * [...]
He accessed their computers to access purchase information of other people (e.g. his friend) and business data. I guess making it public, thereby damaging the companies reputation and potentially getting sued by their lawyers is one way to find out, whether he was "unauthorized" to do so.
[1] https://en.wikipedia.org/wiki/Computer_fraud
People have been convicted of hacking for merely editing URL strings, under the theory that were knowingly accessing systems in ways that they were not supposed to. This would be similar.
Whether or not that seems reasonable to us is a different matter, but basically it boils down to the fact that "they left the door unlocked" doesn't make it legal to walk in.
I believe the conviction of which you are thinking was overturned on appeal, though.
Well, the link leads to a 404 so it seems like the author has been convinced.
> 37,529 restaurants use Dotpe for QR codes.
At that scale, it would take years to get fixed without forcing it like this.
It's too small for them to care about the liability of security and too large to move quickly
> At that scale, it would take years to get fixed without forcing it like this.
But it also might not take years. The point of responsible disclosure is to give them the opportunity. If they don't take it, fine - that's now on them.
Instead this guy is committing fraud with actual financial damages (wasted food) and then sharing how others can commit the same fraud on a massive scale, potentially causing more damage. This is now on him and Dotpe, not Dotpe alone.
> fine - that's now on them
Is that legally true? The legal risk of having published this without responsible disclosure vanishes if the conventional period of opportunity is ignored? That smells fishy.
I'm not a lawyer so I'm not speaking to the legality of this. Legality is not the only thing that matters.
If you publish an exploit without at least making an attempt to fix it, and someone follows you and exploits it, then there's a direct moral line between you and that exploitation. They more likely than not wouldn't have exploited it without you putting that published info in their path. It's now on you, them and the company, morally. Any damages that result from this interaction are because you and the company enabled them to happen.
That's different to someone else stumbling on it and exploiting it. That's purely on the company and the exploiter.
Maybe, maybe not.
But in responsible disclosure you usually give a 90 day notice period before publicly disclosing and "forcing" them.
In this case? Nope. This must be treated as willful design decision to open up API to entire public (including PII/phone-number leak as per design), even if they say they totally didn't meant that to happen. Government itself should then be notified to go after these guys for failing to do the most basic access controls.
I mean, come on! To treat this as a proper security vulnerability just gives too much leeway for these fast-and-loose businesses/systems. It will just encourage more such crap to proliferate.
I am with the author on this one, I am fairly certain the issue of this was raised internally already, probably multiple times. Fortunately for the business, their management did the right decision - focus on quick and easy features, security is a non-issue, we will just blame the hackers and have legal channels deal with them. I mean, you even have people here berating someone uncovering gross negligence for Google-backed company. Why would businesses bother with basic security when they can play the victim so damn easy?
Author is in India, I would be very careful because it's much more likely the government will prosecute them for unauthorised access and irresponsible disclosure than do anything to the company.
Truth is even in the west this kind of irresponsible disclosure could land you in jail, much more so in a developing country where these laws are all relatively new.
Fully agree with you!
The API being unauthd is clearly a core design choice, and finding out any customer or service data is openly accessible with consecutive numbers through that API is not a zero day or something.
There is no "responsible disclosure" to be made here, going to the company and explaining what's the issue with all of this amounts to "handing out free consulting" if anything
Unfortunately that is not how the law works, at least in most countries. As soon as you enumerate ids regardless of whether there is any security in place it is unauthorised access and it's illegal.
Right, I believe they're posting as if the ethical standpoint is normalized, to further highlight the absurdity and injustice of the current legal framework.
Why is it unjust to prosecute people who harm a business and unsuspecting customers of that business by disclosing 0-day vulnerabilities publicly without giving them even a chance to patch?
The poster here has no proof that the vulnerability was already being exploited. For all we know, as obvious as this was, no one else had yet thought to look.
This is like going around people's house doors, testing to see if they are unlocked, and if they are, posting a big sign saying "unlocked door" on each one. It's obviously an anti-social act masquerading as benevolent, and it should be punished. Of course, the company running such highly vulnerable code should also be punished, but that doesn't absolve anyone.
Your metaphor is a big stretch. We're talking about a business and the expectations we should have for businesses.
Noticing an overhead pipe at McDonald's is dripping onto the griddle and pointing it out to people isn't harming the business, it's pointing out the business' gross negligence.
I don't agree with your alternate metaphor. In your example, publicly pointing out the leaking pipe can't cause any damage to the existing clients. In this case, publicly pointing out an exploitable vulnerability that gives access to personal information does bring extra harm to the customers.
If you want, a more apt comparison might be going around a business park and sticking big signs on every unlocked archive door you find. The companies not properly locking the doors are at fault, and customer data may already have leaked; but, you are virtually guaranteeing that even more customer data will leak by doing this. It should absolutely be illegal.
Seems outlandish. Citation needed? I'm aware of a couple of cases in the US, but not all over the world.
Secondly: can consumers be blamed for gross negligence? It's not reasonable for a bank to post account balances in public billboard and ask people not to look at others. We should contest when private data is available publically, hidden only by small obfuscations, not professional security practices.
So for example in the UK with the computer misuse act, intent matters. If you intentionally change an id because you expect you will be able to access other data it becomes a crime.
Your example is flawed because in this case the private data was not made available publicly at all – you need to intentionally exploit a software flaw to access it.
Of course, it also matters how you handle it. If you do enough to just discover the flaw, try to adhere to the bug bounty program scope (if any), use your own accounts in testing and responsibly disclose any findings as soon as you have a poc then you'll probably be ok.
In this case the author went way beyond just finding the flaws, and then disclosed it publicly in a completely irresponsible way without even trying to contact the company or any of the clients affected by it (some of which will certainly have a security contact that can liaise with the vendor)
I concede that intent matters.
Maybe a better analogy is a bank with open lockers and no vigilance: if someone enters and steals money, the police will look for them, because "the coffers were open" is not a valid defense. But customers will also demand answers from the bank - why were they so negligent and incompetent that someone can just enter and get their money?
We should hold similar values for digital systems.
Was the author's intent on stealing private data and causing harm? Did he gain from this abuse? Did the company take enough measures to safeguard their data?
Companies have been mostly not held responsible for their fuck ups, and no matter the law, that's wrong to me.
There are exactly two activities you can be participating in if you are exploring someone else's undocumented API: (1) free consulting, or (2) illegal hacking. Disclosing vulnerabilities you found in someone else's product, regardless of how obvious, is free consulting. If you're not responsibly disclosing them, then you were illegally hacking their systems.
Just because someone or something is unethical doesn't mean we should be unethical as a response.
We shouldn't limit ourselves to only be responsible and disclose properly when the vulnerability suits us.
That is both unfair and irrational.
> Is this what the peak ordering experience looks like?
Call me old-fashioned, but to me the peak experience is a paper menu to choose from, and a waiter that patiently takes the order. Far prefer that to everyone at the table fiddling on their phones in some weird-ass website or even god forbid custom app.
My main beef with these menus is that I can't see the entire menu on my phone screen, and end up scrolling up and down multiple times before I can decide what I want to order. With a paper menu my eyes can flick up and down much faster. It's like trying to edit spreadsheets on a phone - technically possible but a real pain in the arse.
Reminds me of how some people mocked me for having O'Reilly and such massive reference books when I started learning Python and Ruby. "But everything's online!" they claimed. Sure, but nothing's faster than browsing the index for what you're looking for and then skimming the section you're interested in, as opposed to going back and forth StackOverflow threads and random blogs. Currently renovating my house and I again bought 400+ pages reference books of plumbing and electricity, largely sparring me the need to endure endless YouTube videos littered with skits, sponsorships etc. Just straight to the point, factual information.
Online documentation is good if you already know what you're looking for. It is shit if you want to discover what is available. I am specifically thinking of the python docs and the time I, as a not-python programmer, wanted to see the various "grouping" types (lists, arrays, sets, dicts, tuples, whatever).
The Python core docs are uniquely terrible, though.
At least the screen is only touced by you. My peril are the touch screen ordering places (practically all fast food places nowadays) where based on their outlook hygienically challanged persons swipe their fingers up and down for long before you have a chance following them. There is an icecream place opened nearby I had no chance trying because they only have touchscreen order. Guys at the till only serve icecream and all orders must go through the touch screen. They put the icecream into a cone - if you dared to ordered so - and put into the fingers of the customer who just swiped the same finger over a screen swiped by dozens of unknow people before. Oi!
Do you get a freshly-printed paper menu every time? From the hygiene standpoint, remote-ordering from your phone is the best, screens are worse (but at least you can wipe them before use) and paper menus are the worst, since it may be harder to disinfect them.
It was beyond the phone screen based matters you see (which is a great dirt magnet beyond toilet seats actually, like keyboards, coming from the need of constant touch in all and every life situations). I believe you hold paper menu without the need of smearing the matter on your skin all over it you know (or just leave alone on the table if it is one page), unlike touch screens where it is a must ... Also the fast food places stear people towards glass surfaces smearing the cover of their skin all over normally had no menus, just look up and say what you want. Now, you must touch all over like the handle of the public toilet, only more! Different scenario.
[1] https://ihpi.umich.edu/news/your-cell-phone-10-times-dirtier...
The people before you have also touched the seat and table, the door handle, breathed the air your breathing, etc.
Which is why restaurant menus are often laminated.
No, they are laminated to protect from spills that damage the menus and require a replacement. The places with laminated menus are not concerned about your health when making the lamination decisions. Otherwise, do you assume by their being laminated that the staff dutifully washes/disinfects them after being collected from each table every time? I can assure you they are not. They are only wiped off when they are spilled upon, and not even that well.
I use my knuckle for that, because I'm much less likely to touch my food or face with it later. Same goes for e.g. elevator buttons.
I don't mean to be too forceful about this, but how is a common touchscreen ordering system any better or worse than the door handle you used to walk in?
I wouldn't use the entrance door as example due to automatic doors in most places, but lets assume the toilet door handle, that is even more disgusting.
I would say that there is no difference! : )
Except not everyone is using the toilet door handle, and not for prolonged time, holding and swiping for long seconds or minutes, no, unlike with a touch screen ordering system, which they swipe around for looong, each of them ordering, making sure all the content of their skin is thorougly applied on the surface, practically everyone does that - except me in case I have the option going to the till and order by speaking (before someone niggle: I stand back and not spraying saliva :) ).
I find it absolutely annoying that our phones with amazing pixel density limit the max zoom out for some reason. If I want 5x8 font on my 1080p phone screen why not let me?
Plus, many restaurants have clickable pictures of each menu item. Even if the font isn't readable, you can still get an idea of what looks good.
Scrolling back and forth on a small screen is tedious
Even worse when the weird ass website has links to multiple PDF documents to download.
Then you find out all the items you looked at aren't available when the waiter stares blankly at you about your order.
Turns out the dinner menu requires horizontal scrolling on the page to find.
For me peak worse is tables where you get dealt with a single iPad, even when visiting with six people. Which you then get to pass along. And then the 'tech experts' take care of ordering for those who don't get computers, like many elderly folks.
I prefer the pdfs. Most of the time you can zoom out enough to actually have a sizeable part of the menu visitble instead of 3 items at a time.
Completely agree with you.
If a restaurant has a QR-code menu, I ask for a physical one.
If they don't have a physical one, I walk out.
I've done that many, many, many times.
Many people like being able to see what they are ordering. I've seen people order by pointing to pictures on Yelp instead of using the paper menu. Online menus with pictures of every dish are desired by plenty of customers.
> Online menus with pictures of every dish
The invention of color photography, and large and small format color printing, make it unnecessary for the whole thing to be online. You can have pictures without all the issues of online - like small, low-resolution screens (relative to paper all screens are low-res screens), and being coerced to give away personal data.
I've been to restaurants that have pictures of every dish on the menu. Those menus end up being the size of large books, and in one case the menu was delivered in the form of a three ring binder with laminated pages to flip through.
Good menu layout and design costs money, laying out 30 or so pages with full pictures of every dish, and then printing a bunch of those up, is not reasonable.
Meanwhile online menus can be searched and filtered through.
That said I think that online menus are generally sub-par compared to paper, mostly because paper is better than a screen for most things, for people who don't know a given cuisine, pictures are essential.
If it were this easy, they would've printed images on menus long ago. Which a few restaurants actually do, but usually only a few dishes. That said, I refuse to go to any restaurant that has a QR code menu,
It's not hard. It's just a bit more work - enough that it starts requiring a professional to be involved (graphics design, photography, coordinating print), whereas traditional menus can be half-assed[0] by anyone with passing familiarity with Word and access to the office printer.
In contrast, the digital menus usually come as a solution, packaged with a promise of some juicy business analytics, so the restaurant only needs to sign the contract and send over some files - that's even less work than regular paper menus.
So no surprise they're jumping to "high tech" - they're really outsourcing menus to a marketing company.
--
[0] - I don't know how things are at the very highest tier of restaurants for the rich, but for those accessible to less rich, it seems the higher-end the restaurant is, the worse the menu is. Bad design, typos, etc. I suppose having an established reputation allows them to get careless about the minor details.
I would expect the most expensive part to be printing and laminating those menus, which will also be longer due to the space used on images. Then they need to be cleaned, possibly updated, and will still go bad over time.
Printing is cheap and, even with a half-decent consumer-grade inkjet or laser printer, takes very little labor. Laminating is much more labor-intensive, though it's not bad as long as you stick to a standard paper size[0].
In my experience, somehow, in the transition to digital and past worries about "dead trees", most people missed the fact that paper and printing are dirt-cheap these days[1], and if you account for e-waste, often much more environment-friendly than digital alternatives.
--
[0] - We bought a laminating machine recently, so my wife could make various educational tools for our kids herself. It quickly stops being fun once you're trying to laminate a bunch of arbitrarily-cut shapes on a single shit; keeping things aligned is a PITA.
[1] - Well, not if you're paying a print shop. I think that biases the intuition for many. Even color printing is too cheap to meter if you have a half-decent printer at home.
I've been to restaurants with home printed laminated menus. It cheapens the entire experience, to an incredible degree.
The inks fade very quickly, the lamination job feels like, well, a elementary school art project, and there is no way a nicer upscale establishment is doing this. (And with food prices being what they are, almost everyplace now days is a "nicer" place!)
Meanwhile there is a damn good reason that the fancy expensive cocktails at get their own full color advert at every table! Making food look good, with high quality design and printing, makes the food look more desirable.
Yeah, fancy restaurants will often use non-laminated paper menus that I assume they have to reprint frequently.
Really fancy restaurants update the menu frequently as well, at least seasonally if not more often. Sometimes they leave a version number or revision date at the bottom!
> pictures of every dish are desired by plenty of customers.
I'd expect my waiter to look rather puzzled if I asked for a picture of my food, and also perhaps be politely remined that I am not in a fast food outlet.
Besides, for anyone completely lost in a restaurant with unfamiliar dishes (on holiday perhaps) the age-old solution is to simply ask the waiter for recommendations, or point at another diner's dish if that looks good. Or just choose the dish of the day — it's usually the best option anyway if you picked a decent restaurant.
My go to criteria for picking a restaurant is "do I not recognize the dishes they are serving?" As in, I prefer to go to places where I don't recognize anything on the menu.
I'll rotate through eating at a handful of restaurants until I've sampled everything on the menu, then I'll go look for a new batch of restaurants to try out.
In other words, my day to day is being in a restaurant with unfamiliar dishes!
That said I have no qualms ordering a dish and not having any idea what I'll be getting, but I know plenty of adventurous eaters who want to have at least a general idea of what they'll be getting and having a bunch of pictures available is easier than asking the waiter to describe every dish in a menu for a new cuisine.
(The one flaw with this plan is my rate of exploration is greater than the rate of new restaurants opening in my area, even living in a major west coast city, so I have to keep travelling farther and farther from home to find new places to eat! Also different cultural groups centralize in different places, which can lengthen the commute needed to find good food!)
There's a whole industry of food photography and even creating durable fake food to sit on the counter to advertise dishes. Seeing is believing .. and advertising. Can also convey more detail about what's in something and how much you get.
I have a soft spot for cafeteria-style "point to order" systems myself, especially when there's a language barrier. But that does impose a certain industrial feel on an establishment.
Some restaurants in my city use a middle-ground solution: there's a tablet on each table (running Android, of course) on which you can order and pay (but that part is full of dark patterns, unfortunately). But you also still get a paper menu. And paper menus with pictures are great.
OMG .... 1000 upvotes ...
Even worse are the restaurants who require one table to be all ordered on one phone ... so one lemon ends up effectively being the waiter for the table and doing the ordering for everyone. Ask me how I know.
In Japan, many chains are using tablets for their menu, and you can order through that. That's much better than having to pull whatever from a QR code.
This might be the best of both worlds. The advantages of digital ordering for both customers and restaurants are:
- staff can keep the menu up to date, basically realtime (they have to do it tho)
- orders can directly land in the kitchen instead of through the waiting staff, which may or may not be coming
- payment can also be done thst way
Of course there are more advantages for the restaurants that may or may not go counter to the interests (or rights!) of their customers. E.g. the ability to easily build profiles and sell that data to the highest bidder.
There are downsides too:
- digital menus can fail more easily than paper menus
- congrats you are a waiter, and now IT-support as well
- customers without phones, no/sucky internet or devices that fail to display the menu are out of luck, so you have to provide offline alternatives/own devices that need their own maintenance
- options that are not in the menu and fields that are not offered cannot be filled, e.g. can be a problem if you are allergic rtc.
- unpersonal. Most people prefer not having to jump through hoops.
Using a tablet that is provided by the restaurant can aleviate many (but not all) of these issues.
Yep but many many more have handwritten menus in kanji on the walls, I can read many kanjis by now and I'm still pretty swamped by trying to interpret every shop's different handwriting.
At least once you start decoding the drink section (much more consistent) then you can go back and try to interpret the rest.
Also in Japan, many restaurants have a vending machine you order from and pay at, then you get a ticket that you hand to the kitchen staff, who make your meal. They have been doing this for a long time.
I Japan, with their obsession about cleanliness, I can imagine that those tablets are thorougly wiped between each customer. But not in other countries.
Same would apply to paper menus, though? At least it's easier to notice on glossy tablet screens.
Good point, I'd only suspect harder to pick up residue from the porus paper than the smooth glass, and if the paper is made of wood then that is antiseptic by nature. It is true I seen paper menus I did not want to touch, it was replaced so long ago having sample of the food selection and the previous guest's choices on them plenty ... : ) At least some of those one paged ones work just by looking at them in contrast of touch devices mandating the tap and swipe to present things.
I am always interested in this perception. It is clean is some ways but unclean in others like handwashing after bathroom hygiene.
I am not aware of that aspect at all, but cleaning and cleanliness is in focus in general, from childhood, cities are more tidy even by look and the sight of the lady washing up (properly, with water, sponge, having a custom belt with containers for the tools and liquids used in the process) the sidewalk after cleaning up the poo of her dog is burnt into my retina.
A nice middle ground yet that tablets can be costly for restaurants to implement and maintain
An even nicer and cheaper middle ground is a color-printed menu with photos, and/or a larger menu with photos over the counter. For customer, it's all the benefit of a digital menu with none of the downsides.
Of course, all the downsides are the very reason restaurants are switching to digital menus in the first place, which is something people need to be reminded of. In cases of "I can't believe they replaced a perfectly good X with inferior but 'modern tech' Y", the surprise is usually the person not realizing the vendor is adversarial, and Y is giving some extra benefit to them at the expense of the customer.
and of course, weekend, daily or hourly price changes. You cant surge on a printed menu.
It is almost exactly the same.
I’m not sure if this could be considered “peak”. The ratio of waiting staff to customers is an obvious bottleneck.
This inefficiency is simply accepted and not even really thought about, it’s just the way things are. But one thing I can say for this tech is it fixed it and the difference is noticeable.
inefficiency? It's part of the experience. I'm not in a restaurant or café to drink as fast as possible. I'm there to socialize as well. Waiting a bit is not a bottleneck, but a feature. (If I wanted speed, I'd take the drive-through).
There are plenty of comments disagreeing with you, but I'm fully in agreement.
As for the arguments that QR codes are somehow a time-saver, they can be a real time waster. Find phone (not glued to my eyeballs), scan QR, swerve option to install app, wait for enormously bloated website to render badly, get frustrated trying to find what I want, get up to find a staff member to order something but with X instead of Y please if that's possible, can I pay with cash, etc etc etc.
Clearly, everyone's needs and experiences are different. If you like QR codes in cafes, fine, but we should recognise that they represent something other than supposed 'convenience'. They are there to gather data, and to allow cafes to hire fewer staff. They represent the creeping invasion of privacy in every possible aspect of life. The fact that cafes may want to hire fewer staff masks the issue that an increasing number need to in order to survive. Small business margins are squeezed by unreasonable costs and shrinking profit margins, and these pressures are instinctively passed down to the customer -- you and me. Rather than mindlessly capitulate to this and encourage the one-way downward spiral, I really would hope for communities such as HN to see opportunities to 'disrupt upwards'. How can businesses resist exorbitant rents? Why are our lives so hectic that talking to a waiter is seen as too slow? Why do we give away data without being an eyelid?
I don't understand the privacy part. If you order through a waiter, they still record what you ordered.
These menu websites obviously track the living hell out of you and now they can tie restaurant food preferences to everything else they have already gathered.
A waiter recording your order is at a completely different, much smaller scale. Additionally, the waiter is an anonymizing wall between the system that records my order and me and will only correlate orders across multiple visits to the same restaurant. Not potentially across single visits to multiple, geographically highly separated, restaurants.
The waiter inputs your order to their point-of-sale system, which can do similar things as an online menu. If you pay with credit card, it's tied to your identity and will be used for targeting ads.
A waiter is not tracking your whole browsing data together with their 36763 partners (click here for the full list).
They may record what I order (although the cafes and restaurants I go to use pen and paper or just plain-old human memory) but that's it. Even if they enter my order into some system for analytics or what have you, there's no cookies, no tracking, no transparent pixels, etc.
Look, all these micro-arguments about the micro-invasions of privacy are 'bread and circuses' [0]. We've entirely lost sight of what it means to be a private citizen just going about our own lives without every nanosecond being tracked, without every damn interaction being an opportunity for someone to skim a cent. Any micro-invasion can be 'justified': it's more convenient, I don't care about a restaurant chain knowing what I've ordered, I don't want to talk to other people, etc. But they all add up.
Societies are increasingly unhappy, anxious, overweight, polarised. The gap between ultra-rich and regular citizens is widening. It all adds up.
Yeah.. old man, cloud. Whatever. The overall evidence is stark and obvious, it just hides in the tiny details.
[0] https://en.wikipedia.org/wiki/Bread_and_circuses
There is already tracking via your credit card if you're paying that way, which most people do. I don't want to lose sight of that.
You can always go to an expensive eating establishment.
It's easier to choose from an online system because it's up to date with what's in stock
This highlights a problem: you need to be wealthy to have any privacy.
Why has privacy become something that is only available to a dwindling few? What price convenience?
Might be nice to have but its also expensive in a low margin business. Maybe waiters get paid like crap enough for it to not matter in the US but other parts of the world have labour laws to abide to making it the biggest expenditure (and thus the one to save on by cutting out staff and replacing it with an app)
Low-margin businesses have you order by the counter and then the food is either delivered, or you pick it up yourself.
The app isn't there to improve on this. The app is there to maaaybe cut a little bit of hassle with replacing paper menus, but mostly promises to improve the business analytics site and creates many marketing opportunities, including but not limited to screwing with (er, personalizing) recommendations, creating incentive structures, and better tracking thanks to tricking the user into giving the vendor their phone number and bunch of other data.
And, whatever else on top it is, one thing the app is not is an improvement in convenience or experience to the user.
This highlights the underpinning problem: wages are so low that people cannot afford to live. Restaurant margins are so low they cannot afford staff.
Why contribute to that system?
Have to disagree with this. At a group meet-up where everyone arrives at different times and wants their order to come shortly after they do, a digital system is so much better. These type of meetups are quite common as a parent.
> where everyone arrives at different times and wants their order to come shortly after they do
Good god man!
At a social meal, we eat together; children included as this is how they learn to socialise. One would be a little concerned and puzzled if arriving for a meal, one finds others have already eaten.
If only we could have different social norms so you didn't have to argue about it online!
As another commenter said, this is probably partly down to cultural expectations. The ideal would be to sit and eat together. In reality, one family might get held by up to an hour because their baby napped later than normal; another family is half an hour late because of traffic; another family had an nightmare nappy blowout situation and has to go back home for new clothes etc... . Being relaxed about arrival times is less stressful all round. The children will still socialise with each other in the overlapping times they are together.
>children included as this is how they learn to socialise
Ummm... When was the last time you were out in public? I hate to break it to you but this doesn't happen, ever; if I see a kid in a restaurant they are pretty much always watching iPads. If they aren't watching an iPad they certainly aren't learning to socialize, because iPad-less kids in restaurants are almost always allowed to misbehave and be disruptive or even destructive.
Spoken clearly by someone who lacks experience with having children.
Look, it works pretty simple. Witching hour is right before dinner time. Kids are grumpy / hangry (hungry + angry). On top of that, young children have a short attention span and patience. Children certainly can socialize (after toddler age), but while sitting still at a restaurant table? Not for long. A tablet or smartphone is a tool to keep them distracted during waiting. Heck, playing is learning too, so it is IMO a learning tool.
That said, I can recommend a family restaurant.
For example, on vacation to Texel we went to this one [1]. I have not even seen the indoor playground (only outdoor) as the two times we were here the weather was great. Tons of children playing, the picture you see of the outdoor playground is not even 20% of the whole playground. It is quite large, with a special area for toddlers.
Moreover, we went to a family friendly bungalow park with activities for children, and the restaurant on the park (we didn't go to it this year but previous year) has an adjacent playground. If you're on a more tight budget, the same exists for camping.
Do children socialize on playgrounds? Toddlers kind of don't. They're still in their own world, at best they play 'parallel'. After toddler age? Absolutely. They form new bonds, become friends, they play together. They also get into conflict with each other, which forces them to learn conflict solving skills. They practice motor skills and build muscles. But I couldn't leave them completely alone, so I stayed in the vicinity. Hence, I did not socialize (which, as autistic as I am, I do not mind :P).
On top of that, I remember going to McDonald's as kid in the late 80s (it was one of the first McD's in my country) and they had a playground with balls in it. Also great fun. For the record: I did have a Nintendo game watch and Game Boy back then. But in the McD's such wasn't necessary.
And finally, to all those people who claim they want to socialize with strangers they visually meet. Yeah, that is why people sat on banks reading newspapers, why walkman and discman existed long ago already, why the hairdresser has magazines, why trains have a silent area where you can read a book, etc. Let's face it: not everyone is an extrovert.
[1] https://www.catharinahoeve-texel.nl/kids
Here's a hint: Eating at a restaurant is not like eating in a school canteen. And it's not about stilling your hunger. You can eat in any order and pace that you prefer. So if people arrive at different times, you can share some starters while waiting for the other people to arrive. Then jump into some main courses when everybody is ready.
You're not supposed to arrive hungry to a restaurant, then you are doing it wrong. It's not about filling your belly.
> you can share some starters while waiting for the other people to arrive. Then jump into some main courses when everybody is ready
True, and that does sometimes happen, depending on the situation. But still, this is much easier to do when you don't have to flag down the waiter everytime you want to order.
> You're not supposed to arrive hungry to a restaurant
Not if it's fine dining and I have low expectations about portion sizes. If I'm going to a "fast casual" restaurant like Nandos then I will arrive ready to eat. I dunno, maybe you're not classing that as a "restaurant" ?
P.S. "you are doing it wrong" is kinda moralistic! I respect that some people still prefer to speak to human beings when getting service, but cultural processes are always changing and adapting to new technology.
Yes, I'm a bit moralistic about this, you're right. I think eating at a restaurant is a skill that a lot of modern people are not taught. It's not about eating, it is about socializing – unless you're going alone. Portion sizes have nothing to do with it, because you can order more food until you are satisfied.
Or, if money is tight and you really don't want to order more than your main meal, you can always have a bite at home before going out.
It's also possible to train your resistance to hunger, so that you can stand being hungry for 12 hours easy (let's hope service is not that slow). The way to train is to skip your meals during a day and wait until you become extremely hungry. Then just don't eat and after a couple of hours it passes. Do this three times on different occasions and after that you are trained for the rest of your life, and will never again become frustrated or desperate because of hunger.
Ok cool that it works for you, but many don't have the time and patience to wait for the waitresses. Especially when I'm with kids I just love to go to these places where I can just directly order stuff to the table using my mobile. The extra stress of waving and communicating to the waiter is gone.
> The extra stress of waving and communicating to the waiter is gone.
Might as well stay at home if that's a struggle
I think that works out if you are alone, if you are with other people, the waiter will probably interrupt the socialization you are doing with the people you are with, causing stress even for the waiter.
Also we should recognize that the waiter is often looked down at, it is not a very nice job, and as a human being, having a poor experience with some customers will probably pass on to other customers, etc...
I'd go as far as having a job with "wait" in the name, and having to wait, calmy and happily or else you don't get your tip, is not so far from slavery.
Having a waiter come over for ordering causes stress? The whole point of going out for drinks or food is not having to prepare it yourself and having someone else do the dishes. Depending on the venue getting waited on is a feature, not an inconvenience.
If interacting with the people facilitating that is stressful I would recommend finding a bench near a vending machine, having someone else in your party handle the interaction, or, not going out.
Is this just an issue in countries where waiters depend on tips for their income?
The food is still prepared to restaurant standard and brought out by waiters. The dishes are still done by someone else. You just skip the awkward, inefficient, and disruptive step of the waiter coming up to your table (or worse, having to flag them down) to order, order more drinks, ask for the bill, pay for the bill, etc...
Absolutely disagree with this description of the job a waiter does.
A waiter orchestrates and coordinates the experience for the diners they are looking after. They slow down orders to stop the kitchen getting overwhelmed. They upsell on the menu in a way that is helpful and informative. They understand the dietary requirements of guests. They hold complex orders in their head and drop the right plate to the right person. They know the flow of a table and engage or back off as appropriate.
Don't undervalue a role that can make a night out magical or a simple coffee memorable.
You’re proving my point that it’s simply accepted. A non zero number of people want faster service than you do.
To socialize with the people at your table, surely? Not do socialize with the waiter?
Slow and mostly self-serving service is a FEATURE? Sounds like stockholm syndrome to me. Its easy to socialize with a decently fast waiter. Bootlenecks are just that, a reason to avoid the restaurant.
Life isn't about peak efficiency
The experience is as, if not more, important than the result for most things. Leave that for assembly lines (and even that is debatable)
If you want peak efficiency order caffeine powder from Amazon and snort it, it's going to be much cheaper and much more efficient than going to a coffee shop
Or if life were about peak efficiency, people wouldn't go to restaurants
Today on HN : "Coffee Stats – Maximize Caffeine Intake and Get to Bed at Night"
https://news.ycombinator.com/item?id=41620002
Much like how widening the I-405 does not improve Los Angeles's legendary traffic jams, slabnus do not improve the bottleneck.
Namely, restaurants who move to slabnus simply get rid of the waiters who would have taken the order. You're left with even fewer waiters serving food and drinks, let alone taking orders.
The coup de grace is I don't even get a discount for the degraded service.
Note: Slabnu because I'm pecking at a slab of silicon instead of a proper menu.
> The coup de grace is I don't even get a discount for the degraded service.
It's like self-service checkouts: the store gets to save on stuff and get their customers do the store's work instead, and we don't even get a discount for that free labor and more time spent in checkout and degraded experience.
I will gladly do the work myself if it means not being stuck behind people chatting up the cashier or doing complicated coupon/return/exchange/gift card transactions. The value is in the consistency and predictability of time spent for someone who just wants a single bag of onions or a single T-shirt. If stores had no-BS lanes (more than just "X items or less" lanes) operated by human cashiers I would use that too, but I suppose we as a society consider it as impolite or bad service, so machine checkout it is.
> The value is in the consistency and predictability
"Consistency" and "predictability" are not the words I associate with self-service checkout. Maybe I'm spectacularly unlucky, but almost every time I use one of these machines with more than 3 products, the machine will get confused about the weight, or decide to randomly check me, or find another reason to lock up and have me wait for a clerk to show up and unlock it, which takes anything between 1 to 5 minutes. And I'm not the only unlucky person, either - I see it happening often enough to others, which usually reassures me that I made a good call standing in the queue for the old-fashion human-operated register.
That's still a lot more predictable than my human cashier experience. I wish I didn't have to dread being held up by the only cashier in store holding a riveting conversation with 4 groups in front of me. Will the other groups hold up the line too? I guess we'll see!
Eh? Eating in a self service is normally cheaper.
I'm not doubting you, I want to believe this, but do you have any sources?
Other than "I read the prices when I go eating?"
Eyes?
few comments
- you are ordering food and drinks, speed is not essentials, if you're in a hurry you don't sit down in a diner/restaurant
- you assume that everything on the menu is perfectly clear, but what exactly is that thing with the mysterious name? (for example peri peri fries means nothing to me) you can ask to a person, not to a PDF
- you really want X but you have food allergies or some other dietary restriction, again you can ask that to staff, not to a web site
- most importantly, you're assuming that waiting is generally considered an inefficiency, that should be addressed or fixed and that should be the goal of every place serving food and beverages, while it usually is the moment were people sit and relax and have a little chat, it is called lunch break for a reason, isn't it? It's the generalization of XKCD #303.
p.s. in my experience in places that use QR code menus orders are not served faster, actually the opposite is often true.
> you are ordering food and drinks, speed is not essentials, if you're in a hurry you don't sit down in a diner/restaurant
Honestly if I received poor/slow service and management came back with this I'd be pretty upset. Especially given a large number of places have an explicit service charge or there is a cultural expectation that this should be paid extra for.
You're either trying to solve the problem of service or you're not, it's binary.
>> you are ordering food and drinks, speed is not essentials, if you're in a hurry you don't sit down in a diner/restaurant
> Honestly if I received poor/slow service and management came back with this I'd be pretty upset.
Plenty of places will tell you not to expect fast service for certain dishes or drinks. If you order a cocktail at a bar and complain when it arrives after the cola, you'll raise eyebrows.
The confusion between you two in this thread may be partly due to the conflation of 'slow service' with 'poor service', they're not necessarily the same. Sure, if I ordered a cola and was still waiting after the table next to me received their 5 different cocktails, something would have gone wrong.
Here's a fun story. The other day, I was in Belgium. We ordered food at a restaurant. While we were waiting I had a beer, my partner had a negroni. We waited... and waited... and waited. Other diners arrived, ordered food, their food arrived, they ate it. And still we waited.
After a while we asked a waiter if our food order had got lost. They were apologetic, and pointed to my partner's still-unfinished drink, but said they'd get our food out ASAP. The food arrived rapidly (it was delicoius).
What had happened? Well, a negroni is an apéritif, so is drunk before a meal. The staff hadn't been inattentive; quite the opposite -- they were waiting for the apéritif to be finished. Serving the meal beforehand would have been... rude? Undignified, perhaps. And certainly something that all the other local diners would have been well aware of.
Sure, it was a leisurely situation, nobody was in a rush, this isn't a daily occurrence, blah blah. Anwyay, I learned a thing about apéritifs. Cultural heterogeneity is educational and enriching in a way that QR codes and social isolation are not.
I'd amend that to being confusion between the accepted norm of service vs poor service. I'm fully aware that there is breathing space in a service, it's not a conveyor belt.
Your anecdote is nice. I think another thing to recognise is everyone has different expectations around service time and availability of service. The great thing about some of these systems is you can choose, the one I helped implement is there if you want it, if not your table falls back to classical service, and best of all there are of course still staff around to talk to if you need.
> You're either trying to solve the problem of service or you're not, it's binary.
Do or do not, there is no try
They are trying indeed, if they succeed or not is a completely different story.
The point is: throwing a QR code at your issues won't solve your issues.
> Honestly if I received poor/slow service and management came back with this I'd be pretty upset.
I don't understand what you mean, it's probably that I, as a non US citizen, don't understand why people should sit down and enjoy a meal while also being in a hurry, there's no management involved here, it's just my opinion.
if I'm in a hurry I'll buy a sandwich or some pizza slice (it has a kinda different meaning here than in the US, but to get you an idea of what I mean)
> The point is: throwing a QR code at your issues won't solve your issues.
I believe this to be (generally, but with exceptions) false. On one of my contracts I worked on solving this during covid for a large restaurant chain, they still use the QR system today and there are clear and concrete metrics that tell the story of large improvements to service.
> don't understand why people should sit down and enjoy a meal while also being in a hurry
You're hyper focused on the ideal situation. You can not be in a hurry and still receive a level of service that makes you feel uncomfortable with the service charge/cultural expectation of the tip for this specific service.
> there are clear and concrete metrics that tell the story of large improvements to service
Covid is the most disrupting global event of the recent human history I bet it had a quite larger impact than a simple QR code, assuming what you say it's true.
> You're hyper focused on the ideal situation
Am I? I know that for a diner to serve me at a table it can't take less than 20-30 minutes or I am eating literal dog shit and I honestly don't like dog shit, regardless of the service I am receiving (or worse: I am making the staff uncomfortable by asking them to be quick because I am the one who's in a hurry).
It means in total it will take at least one hour, if I don't have that time available I simply do not sit down in a diner.
It's as simple as that, the ideal condition it's a dinner that usually takes from 2 to 4 hours.
The 10 seconds saved on a QR code assuming that the QR code really saves time it's irrelevant at that point.
It is possible that different cultures have different ways of understanding 'service standards'.
> expectation of the tip
You're hyper focused on your own bubble, in most of the World tips are not mandatory nor common especially for a quick lunch break.
And still your answers do not address the larger picture: the staff is there to help you, not to serve you in the as a servant way. They shouldn't, in my opinion, be considered like minions executing what the machine told them to do. That's what Fritz Lang warned us about in 1927.
But even assuming that the QR code saves a lot of time, good staff can go a long way, a fast self-service order system where you wait at the table because the place is understaffed it's a worse experience than an understaffed place where at least a real human greets me asking what I want to drink, before taking my order.
> Am I?
I mean, yeah.. You've even done it again. Outlining situations with perfect service. That's great, now think about the original problem statement where service becomes a bottle neck, and no "if you want great fast service just go elsewhere" is not an elegant solution, sorry.
> Outlining situations with perfect service
What are you even talking about?
Are you implying that QR code solutions are optimal for shitty services?
> where service becomes a bottle neck
this is a textbook example of false dilemma. If service is the bottleneck making the ordering process faster will make things worse, not better.
If anything if a place is slow to take orders, I know they'll be late on serving it I can anticipate the problem and go somewhere else, if I already placed the order now I'm stuck.
It's the same things happening at McDonalds with ordering booths, your order is very fast, the service is not and you end up wasting a lot of time in line waiting for your number.
As one of the error pages of this website states Please stop hammering. It makes the problem worse.
Thanks, but no thanks.
You're also contradicting yourself here
> where service becomes a bottle neck
> "if you want great fast service just go elsewhere" is not an elegant solution
The "service is the bottleneck but please stay here and wait until we serve you who knows when, after you placed your order" is much worse.
At least with staff taking the orders they can straight tell you "we're full, there's a wait list" or warn you that that day orders are being processed more solwly than normal and you can decide what to do.
QR code machines will place orders no matter what, but, again, people are not machines and quality has its merits, more than speediness, In my opinion.
YMMV
> this is a textbook example of false dilemma. If service is the bottleneck making the ordering process faster will make things worse, not better.
I’m sort of at a loss for words, I haven’t posed a dilemma, also do you think a server exclusively does one task and nothing else, or is it more fair to say they do multiple and eradicating one task frees up capacity for another?
As I’ve said I’ve seen the efficiencies first hand, and I gain nothing trying to explain them further at this point. Enjoy your day.
Edit for the below reply: apparently I’m a liar too? Super rude and highly disappointing. Systems like this have been rolled out in thousands if not millions of restaurants, apparently for no good reason..
You simply don't know when you're wrong.
My wife owns a restaurant that has been her family business for over 70 years.
You clearly have never even been near one and think that you can fix problems that have nothing to do with tech with technical solutions, it's like believing that you can solve the fertility crisis with Tinder.
I recommend you to read something about τέχνη.
Good luck my dear friend, you'll need a lot of it.
In most restaurants the kitchen remains the bottleneck. Tech has not fixed that.
Hey now, there'll be a startup that promises to bolt AI-powered robot arms to everything, can only cook licensed "Verified Recipes" and will be bleating "we just need more data bro, 6 months more runway, on my mother's life" until they go spectacularly bust at the end of their "journey" having never cooked a single meal.
Tech "fixed" that with frozen food, fryers and microwaves. Ordering on your phone a microwaved industrial meal is a consistent user experience. That's ok for fast-food but not something I'd enjoy at a cafe or restaurant.
Soylent and Huel seem to have fixed that issue, for their target market.
I've never yet heard of any restaurants that serve Soylent or Huel.
> their target market.
Those who enjoy tasteless gruel and want to spend their days farting?
Invisible farts are a guiding principle of the market.
> custom app.
That is always the worst experience. The most painful apps always require you to spend another 7 minutes after installation; typing in and verifying your credit card information... That has to be the most convoluted paying experience.
I was almost shocked when I rented a Hertz car (via IKEA), that everything was done through a website. The website asked for permission to use the phone camera to take pictures of the car etc. and off we went. Such a good experience compared to fiddling with a new app..
The best implementation of QR code menu I've seen was as followed. There was a paper menu but could also order from QR. It was a well designed page to choose from, but the wait staff was still there and took order. We had the option to order from QR if we wanted. When they entered our order, the page (linked to our table through custom QR code) updated with our order. We could add items at any point or we could "call our wait staff" who would then come to our table. At any point we could just pay our bill and walk away. It was the same feeling of using an uber for the first time and just walking out of the car and not worrying about paying the driver.
One of the restuarant chains mentioned in the author's post (Social), is an extremely crowded pub during the night and for the rest of the time, a place where freelancers or remote workers come in to work and socialize. At least that was the case in Bengaluru,India before Covid.
I would say that from the restuarant's point of view, having the order-from-app experience works out since the freelancers can order via their laptops whenever they want, without having to flag down a waiter. And during rush hours, tables could order what they want without having to spot and call a waiter among a very drunk dancing crowd.
Will call you old fashioned for that. I recently went to a restaurant with a large group of friends and they used toast tab for online ordering. The experience was much better than ordering in person. Each family was able to order and pay for themselves. We could add extra items to our order whenever we wanted.
Without the app I would've had to keep an eye for a roaming waiter, call them out and then place an order. This takes away from the dining experience. I also don't like to wait for the server to clear plates, take the card, swipe it and get it back. The old fashioned ways will disappear for good.
Same here. I am even reluctant scanning any QR code and taking me to random web pages connecting my phone - and since phone is an extremely personal device, pratically an ID, so myself - to that place and time. I am not a fan of being traced, surveillanced more than avoidable, especially not fan of triggering it myslef. Giving away additional dat on myself on top of that. No thank you. And this is before considering the system exploiting the vulnerabilities of my device, insted of the other way around shown in the writing. I left a place because of their QR code primary order system. Waiters came around taking order the old fasioned way, but only in the gaps of serving the QR orders. No thank you.
Some apps are brilliant though - Wetherspoon pubs in the UK (despite not at all being the height of dining) have an app that works really well, I don't think I've ordered at a person there for at least 5 years.
In this case, a weird-ass website that immediately demands your personal data.
Completely agree. And it also allows opportunities for customization. Custom paper, cutting, presentation etc. Whereas on the phone, it's usually just a PDF or some responsive website.
A real waiter also allows for a human connection to be created. Experienced waiters (rather than part timers) can really help you make an order, give you recommendations etc. which makes the experience of dining out much nicer.
Agreed. I've been to restaurants that only had a QR code but were also a Faraday cage so I couldn't access it. Was absolutely ridiculous.
Unfortunately the implementation that most Western countries took is pretty terrible. One of the highlights for me in China is the lack of menus in restaurants, I can still ask the staff questions if there are any but its nice being able to order add-ons throughout the meal without having to wave someone down.
Similarly old fashioned here. If there's no menu and/or no table (or bar) staff to take an order, I simply walk out.
You're right, you are old-fashioned. I love order by phone. Any amount of time I'm sitting at a table trying to get a waiter to notice me and come by just feels like agony. Let me tell you exactly what I want, exactly when I want it.
And a little button to call the waiter... I hate trying to make eye contact with a waiter in a big and busy place.
I'm with you on that. There's something special about a personal interaction with a waiter and a paper menu
People will find a way to be nostalgic about anything I guess.
"There's something special about having a wire attached to your phone."
"There's something special about greeting a lift operator."
"There's something special about hand-washing clothes."
There’s indeed something special about a waiter pretending to be my best friend — the discomfort is quite special.
Yeah fortunately that's pretty unique to the US. I will never forget when I asked a waiter in Chicago where the loo was and he led me to it. Super weird.
This is cheap restaurant experience, in good ones you always get the good old paper
Completely agree. I'll tolerate PDF menus if it's a really good restaurant, chances are I already know what I want anyway. If they ask me to install apps on my phone I walk out.
Peak is to me where we can sit and order and pay, and do not get interrupted so we can actually talk.
I have been to restaurants where they bring you a tablet that you keep at your table. It has the menu and everything on it. You order what you want from it, food or drinks, at any time and a waiter brings it to you.
I found the experience better than ordering from a waiter and better than using your own phone.
I've told that chains in China have now replaced this last bit "a waiter brings it" by a little robot.
A good server is an emissary from the kitchen, who knows the menu, and helps you find the best dishes. A great server establishes rapport with the regulars, anticipates their needs, makes them feel welcome and comfortable.
Unfortunately "server" is not considered a respectable career but something you put up with before your film career takes off, or how you pay your college tuition for that juicy psychiatric nurse degree.
So nobody can be paid enough, or retained long enough, to care about customers or the food. So 25 years from now, the best server will be a Roomba with a prominent QR on its back.
> "server" is not considered a respectable career
In the USA maybe.
I can assure you, being a waiter is taken quite seriously by much of the civilised world. A good waiter is an important part of the dining experience.
> In the USA maybe.
Yet in the US, due to tipping, it can be (and generally is in most more affluent areas) considerably better paid and lucrative than pretty much anywhere else.
Also I'm not sure what are you saying is generally true at all in most places (unless we're talking about a specific subset of restaurants).
Only in fine dining establishments, certainly not in casual/family restaurants, which are most restaurants.
There are many casual/family restaurants in France, Italy, Germany, Spain and other European countries with high-quality waiting staff.
As a fully capable person I can't stand being waited on. For me the peak ordering experience is I choose an item from some written menu with prices on it, ask for said item and pay exactly the price written on the menu. Then I either take item immediately or come to collect it later to take it to the table myself.
When I want to leave I just get up and go without the stupid ask to know how much I need to pay then ask again to actually pay with expectation that I pay more than what was asked like it's my choice to pay but really it isn't.
Ah yes the peak experience is having to wait 10 minutes and catch an extremely busy person's attention just so you can order.
Most of these ordering systems (at least the ones that have survived COVID) are pretty good websites now. I don't remember ever having to use a custom app. It's a far superior experience.
(Oh yeah and I guess you may be American and have a very different eating experience to the rest of the world where waiters don't live off the arbitrary generosity of customers.)
[flagged]
Ah yes, everyone who has a different opinion than yourself must have dementia. Of course.
> waiter that patiently takes the order.
Ah yes... superiority complex?
Not to be a party pooper, but posting detailed financial analysis of the exact sales data of a multi-million dollar business using numbers obtained through an obviously overlooked backdoor seems like a very bad idea. Haven't people have gone to jail for less? (iirc "but it was an insecure API" has not held up in court in the past)
On a more positive note, I've used a QR menu recently and it really is a game changer. Scanned a code, pressed a few buttons, and my food was there in minutes! Looking forward to seeing it more often, especially in places where you're not looking for stellar service.
> Looking forward to seeing it more often
Not sure if you're serious after reading the paragraph where he ordered food for another table ;-)
When implemented properly, it’s a convenient system. I enjoyed using it at the Stockholm airport a few months ago.
What makes you think that system was implemented securely?
Haha :) Looking forward to seeing it more often... with proper security
> Looking forward to seeing it more often, especially in places where you're not looking for stellar service.
I loathe them perhaps even more than I loathe the order-kiosks that McDonald's has rolled out. My phone is smaller than the folded napkin, I would rather not have to scroll to examine a menu.
Regardless, a restaurant should think twice about outsourcing this kind of thing to a 3rd party that now has all of your (and your competitors) financials. Even if the API is better vetted, why would you trust this faceless, profit-motivated site with your data?
"Convenience" seems to be the way they market "getting rid of employees" these days — from self-service gas, self-checkout lanes, etc.
I'm interested to know what the correct way to report this would have been? Specifically in this case. And what would one expect after reporting it? I've found many things like this and I only reported two (Genius, they said thanks) and Amazon (they replied but ultimately ignored it, and the issue is still there today)
First thing I would do is look for a security.txt file or search to see if they operate some kind of bug bounty. Failing that, I would browse their website or search for contact details (or even just a contact form). WHOIS can be useful for this. Ideally you'd want some kind of security contact, or a technical contact, but other times you have to make do with the general contact email/form.
In this specific case, they have a general email address at the bottom of their privacy policy, so that's what I'd use.
I'd send them an email along the lines of "I found a security issue with your website; how would you like me to report it to you?". Then they'll hopefully put me in touch with the right person.
In terms of what I'd expect… If they operate a bug bounty (which they don't in this case) then I'd expect what's on offer. If not, it would depend. I often don't expect anything. There have been businesses I've disclosed security vulnerabilities to that are shady enough that I've refused the reward they offered. Sometimes I don't want anything to do with them.
"obviously overlooked backdoor"
This is the front door. It's not even open, it's taken off the hinges.
Scratch that, there never was a door in the first place, just a gaping hole right to the street.
It’s definitely a more streamlined experience in some cases but for me it has more disadvantages
eh. this is india my dude
https://web.archive.org/web/20240923091701/https://peabee.su...
Thanks, apparently the article was taken down...
https://archive.is/Z7eIg
From technical standpoint, I find the details interesting. However, this irresponsible disclosure of vulnerability troubles me. I am guessing that last year, Indian government has passed the bill of PDPA (https://www.meity.gov.in/writereaddata/files/Digital%20Perso...) if I am not mistaken. Even though irresponsible disclosure of vulnerability is not explicitly mentioned in this Act, but I am pretty sure that such irresponsible disclosure are enough for the author to land into trouble.
Leaving PDPA aside, as a Software professional I find this act kiddy and unethical. 10 years back I found a major vulnerability bug in an major multinational bank where I was able to see monthly statements of any person. I reported this to the bank and they took approx 1 year to fix that. I did not even mention about this bug to my friends or my CV till it was fixed.
If you leave the gate to your yard wide open don't be surprised to find kids playing ball there.
Understandable in this case. But if the playground is of a developed nation (like US, Canada, Singapore, etc.) then unlikely that kids would be playing.
In India, personal data is not yet taken seriously with both educated and un-educated people. It would take some time but I believe this realisation will come over time in people.
I am confused, they didn't contact the company at all and just disclose this publicly? Very immature handling of a vulnerability finding.
And to add that he tried out the exploit on unknowing participants. It would be better to try this with a friend in-the-know at a separate table. It makes me think he did it more as a practical joke than testing his exploit, especially because he mentioned they were "not-too-intimidating-looking guys".
I'll admit it is a bit funny and the damage caused is tiny(just the price of the food). However, things like this do harm the reputation of bug-bounty hunters.
He could have just tried it on his own table (order on the phone, and then on the laptop through the vulnerability) and avoid having to a) bother others, b) waste food. The result would have been the same.
The author says "I refuse to believe they’re unaware of this. This doesn’t feel like an oversight, it's either a deliberate design decision or they just don't care." Agree that this is an uncharitable way of looking at it.
Yep. It’s just working backwards from some pre existing very negative worldview.
Its a justifiable worldview. I'm an Indian dev and I've seen obvious backdoors like these added to the backlog as a low priority bug. If somebody spends time on this, that means features are being delayed and you are rewarded less.
I've worked in lambda web editor (not in Git) and my lead considered replacing sql injection with parameterised queries was a distraction/insubordination. Cant wait till audits, data breach insurance and imprisonment becomes the reality.
Could be as simple as no auth in debug builds and then deployed it by accident.
I don't mean to pick on your comment, but to respond to a prior comment, you are beginning with a very positive world view and interpreting the events from there.
Lazy API that did not vet a simple backdoor?
Good coders but accidentally pushed the debug version of the API?
I am going to have to say the second option feels less likely (yes, I have been called cynical).
Different confs in the same repo. Many CI/CD tools will pick debug/dev conf by default if nothing else is set.
It was just an example. Maybe they knew.
Is it a vulnerability when it is obvious the company do not care about security?
Yes. Because who at the "company" does even know about this? Maybe just some coder who wrote it. But the legally liable CEO? Maybe not.
> Because who at the "company" does even know about this?
Everyone who designed engineering requirements, technical requirements, test plan, everyone who wrote technical specifications, everyone who performed traceability. It was all approved by security engineers and management.
> The company was founded during the pandemic when contactless dining became popular.
There were tons of people intimately aware of the issue, yet for four years nobody cared.
That is his job to make sure he employs people who take care of this and that the services they sell are audited by an independent organization.
Who at the company gets to keep all the money?
This is hardly a 0-day vuln exploit. This works as designed (and presumably design has been signed off etc)
is it really a vulnerability if the entire thing is open by design?
Who says it was? Why would they willingly give out their customers' and customers' customers data to any anonymous person or a bot? More likely a bad oversight
This is “the tire shop doesn't have a torque wrench” level shit. If it's an oversight, it's an oversight due to incompetency, not because a good team just happened to miss something in a crunch. Another possibility is that the issue was raised and management said to fix it later, and because software “engineering” isn't a real engineering field that holds its practitioners to any duty of care, those responsible (the engineers) just went along with it.
For 3 years? That would mean that no developer has ever raised these issues with management, to speak nothing of an actual pentest being conducted.
No, this is not some obscure security hole they forgot about. This is plain incompetence and/or deliberate design decisions.
I agree that full public disclosure like this is irresponsible, but exposing issues like this to the public is the only way for such companies to make a change or, preferably, lose business and shutdown.
No auth at all? For years? That’s a tremendous oversight. Nobody running a test having to authenticate?
Because they don't care, and their customers don't understand any of this shit?
It feels like the usual case of vendors buying service to better exploit the users, and themselves getting burned and/or exploited by that service too.
Yes! You as a user are not meant to knowingly access data that does not belong to you. Even something like changing the id from 1 to 2 is legally considered unauthorised access.
It would be different if for example the application was showing data for other customers through normal use of it, but even if there is no other barrier to access than changing an id that is considered bypassing access control and can result in jail time in most places. Now I'm not an expert in India's computer misuse laws but I am willing to wager they are not the most progressive when it comes to this kind of thing.
same thoughts, annual reports of larger companies have more dense figures than these too.
Doubt the company made it open by design. Doubt you will find an order from the CEO to make it open. It was probably a fuck up by a shitty coder.
If you discovered an incompetent healthcare provider was prescribing antibiotics for every condition would you "contact them privately" or contact the relevant authorities?
Private disclosure is for when you believe the company cares about security but made a genuine mistake. For the company in the OP it would be more like free education in fundamental privacy and ethics. They're not entitled to that. Name and shame.
Sure, but what you’re describing is not what is being suggested. Responsible disclosure typically involves disclosing publicly after a reasonable period of time.
Why? Why should they be the responsible ones, when the well-funded, well-connected service provider is acting like the fly-by-night startup (that they probably started as)?
There's little public benefit in responsible disclosure here; all it would lead to is the whole thing being swept under the rug with some trivial "fix". There's lots of public benefit in immediate, wide disclosure - the scramble to fix this under pressure from vendors before potential abuse, and any real or imagined attempt at abuse, and subsequent lawsuits, would go far towards educating people and the industry about privacy, security, and bad business practice. It's a nice low real damage, high publicity case.
It's not like this stuff is new. But without serious pressure, the businesses will never learn and never stop making or enrolling into such systems.
Anyway, if it happened over here in the EU, I'd do the responsible disclosure thing and give a full, detailed advance expose to the local Data Protection Authority.
(And if I sound adversarial, then consider that neither the vendor developing such systems, nor the venues using them, are doing it in the interest of the customers.)
There's a big difference between announcing "I found all this private data" and "I found all this private data and here's exactly how I did it and here are the URLs". What the author has done is detail exactly how anyone else can abuse this system from anywhere in the world and also given them ideas about what to do with that information that would cause a direct cost to the company. I think that's irresponsible and unnecessary. You public disclosure rationale has some merit but it didn't require publishing the user manual for the attack. Just saying you used the API, publishing the amounts plus some proof of private data from people who have given consent would be enough to get the business scrambling.
This seems less like a "manual for attack" and more like tweeting that your local storage unit rental never puts locks on their garages and gates and "anyone could just walk in and out".
To expand your analogy can you see the difference between: "A storage unit I know of never uses locks" and "The storage unit at 1234 Central Boulevard, San Andreas never uses locks, just wiggle the door a bit and it'll open."
I think most people would acknowledge there's a big difference.
That's not the same though at all.. A closer analogy would be publicly announcing that "Company managing the storage lockers 1234 Central Boulevard, San Andreas is keeping all of them unlocked without telling their customers".
Which would still be wrong but you're implying that the business is the victim here when it's the complete opposite.
Yea sure it is a difference, but for me not outrageously immoral. I guess you can get in trouble though.
> cause a direct cost to the company
Nothing wrong about that. Of course still doesn't justify publishing/providing access to client data who did nothing wrong.
In the EU this would be illegal and (hopefully) lead to very high fines. So why would you try to help and conceal their criminal behaviour instead of reporting them?
Of course in other places, there aren't really any good options. So I guess the most "moral" approach would be to what you think would cause most financial damage to the business and discourage people from going there.
Right but would you afford the same opportunity to the healthcare provider? You'd contact them privately and expect them to go and learn why over prescription of antibiotics is a bad thing and change their ways? Of course you wouldn't. You'd go to someone who cares. In healthcare there are ways you can report it without naming and shaming publicly, but how could the author do that?
Disagree.
Most likely the company will blame them for trying to help. Also, if the company is so incompetent that they allow this why bother. He's not getting paid to be their test engineer.
I found similar vulnerability in Bus State transport facility of government, where you can get list of everyone who did reservation online.
You can get their gender, age, name, mobile number.
I simply reported it to their website's support email and state cyber cell.
This was 7 years ago, that vulnerability still exists.
This is why security researchers (threaten to) release this kind of information publicly. Reporting security issues doesn't fix anything until other people learn the details.
I like to scan the "specialized" bar/QR codes I come across in my daily life in case they're not just URLs. Sometimes I find some interesting stuff and possibly some opportunities for mild exploits.
The other day I was at burger king. They allow you to refill your drink as many times as you like within 60 minutes of purchasing it, and the way this restriction is implemented is by having you scan a QR code they print on your receipt at the drink machine. I scanned the QR code with Binary Eye (android app that reads all sorts of barcodes, highly recommended). It contained some numbers I couldn't immediately recognize as interesting, a timestamp in a format similar to 202409231049, and a UUID.
Now, the UUID is probably the ID of the order in their internal system, so the question is: does the drink machine only read the timestamp or does it also use the UUID to query the internal system to re-validate it? Can you craft a QR code with the same data but change the timestamp to achieve for infinite refills?
> Can you craft a QR code with the same data but change the timestamp to achieve for infinite refills?
Well, can you? :). It's the obvious next thing to try, given that Binary Eye is conveniently also a barcode generator, not just a scanner.
I know, but sadly I did not have enough time to stay there for more than an hour and try it out.
>Can you craft a QR code with the same data but change the timestamp to achieve for infinite refills?
I'm hoping nobody is this naive to let your client have mission critical info to implement something as crucial as giving a discount or refills in your case. It would be just be an extra column in your db table, the only identifier available to the user should be just the UUID, along with some identifier.
I don't think this is that critical; if you stay there long enough and regularly go to refill your drink or come back the next day and make a beeline for the drink machine I think the staff would notice something's off.
https://archive.is/hVKzw
A guy went to prison for doing this with AT&Ts public subscriber data. The media didn't do him a favor by calling it a hack.
I almost got into big trouble at school for "hacking a teachers email". I guessed their email address (they were systematically generated) and sent an email. It's true you can get into trouble for this, but we need to all take it upon ourselves to make sure this doesn't happen. If this guy got into trouble I would hope every software engineer would be up in arms defending them.
It's not as simple: if you accessed something simply because it was badly protected yet you were obviously not supposed to access it, it's more of a grey area. I mean, imagine an uber-hacker for whom many a network is trivial to break in: they can always argue how it was insufficiently protected.
You accidentally stumbling on something unprotected generally clears you from any liability as long as you stop as soon as you notice it.
Code of conduct for white hat hackers is to explore but not abuse, and report as soon as they have enough clarity on the issue. But there is no legal basis for this avoiding any liability except if a company runs an official bounty program.
In that sense, the OP author could face hacking charges if India has similar laws to the rest of the developed world, and the author doesn't even have the "well intentioned" for their defence since they never reached out: the only defence they have is they did not attempt to profit off it.
IANAL, though :)
Nah I better err on the side of caution with this - plenty of examples in history where life’s were utterly destroyed even though every sensible person was ok their side - snowden is just one extreme example but there are many others.
you mean you guessed the systematically generated password, right?
> I guessed their email address [...] and sent an email
the old "HELO" hack
My 8th grade computer class teacher yelled at me for hacking the computer because I was rearranging the icons on the desktop.
Eh it was not just that, weev obviously had evil intent. (I wonder what's up with him now, last time I read his blog, he was posting neo-nazi posts from Ukraine)
reminds me of this Aussie cleaning company's website that forced you to create an account to take an order.
With a couple of clicks on the web app, you'd encounter a bug... and then you can see every single person's orders, email, and personal addresses. And it was my partner who discovered it (she was struggling to order service through the website bc it kept failing).
Oh and they also never charged us for service despite multiple emails asking them how we should pay (somehow we were able to order service through the site but never paid?)
Clearly they're not a serious company...
Isn't service taken into account in the price of the meals?
Probably depends if the cleaning company is bringing meals because it's an extra service they provide, or the place is such a mess they they think the customer deserves some charity?
Now, that went rogue quite fast and easily. I still find it confusing when some dev opt for the "let's not think about security, tokens, POST requests and whatever".
I am sure some companies using that service will ask for more closed doors before everyone can lookup their revenues. That's one big example of a non technical vulnerability based on a 101 technical principle.
Author seems to have taken the post down ... in response to a legal notice from the platform
source: https://x.com/prstb/status/1838179660959465596
Original blog post, archived copy: https://web.archive.org/web/20240923091701/https://peabee.su...
http://web.archive.org/web/20240923053856/https://peabee.sub...
> Next time you're at a restaurant that makes you scan a QR code and enter your mobile number to order, I want you to remember that random strangers on the internet are looking over your shoulder and watching what you're eating.
Isn’t this just sample size one? In other systems this information can be passed securely and not leaked later.
Let's not forget though that these systems aren't made to make your ordering experience better (they do the opposite) - they're literally made to make it easier for more "random strangers" look over your shoulder and watch what you're eating. Strangers working for the vendor, working for the QR-menu solution provider, working for various marketing companies, etc.
I know that Indian companies might not have a bug bounty program but you should get paid for finding such a big vulnerability And their CTO should take some blame for this.
On the other hand, I agree with other comments that posting the whole financials of a company does not seem like a good idea
PS: I really like your writing style. Subscribed your newsletter
> I agree with other comments that posting the whole financials of a company does not seem like a good idea
Probably. But IMHO it's the right/moral thing to do, posting/showing how to access their client data is of course hardly justifiable.
The api is still up and they still haven't done anything to remedy this. Like, that should be your first priority, first send an email to your customers apologizing for this and then start working on it.
Yikes.
As one commenter on X(itter) said that the only way this company will think about fixing this is when another competitor who will gather all their customer's details and send emails to them to migrate to their service if they don't want their precious data to leak.
> This doesn’t feel like an oversight, it's either a deliberate design decision or they just don't care.
Having a complete lack of any authentication and sequential IDs does seem like a design decision.
Feels like a proof of concept demo app built by an intern.. to which the customer said: perfect! launch this in production tomorrow
Why was this blog removed?
Author is afraid they conmitted fraud according to Indian laws
https://archive.is/hVKzw#selection-853.37-853.44
Weirdly, the archival worked but the archived version can't be downloaded (Not Found).
Maybe someone from the company behind the API got in contact with him.
404 / Not Found. Looks like someone got to OP.
Anyone have a cached copy?
I was waiting for a "I disclosed the vulnerability and this is how they reacted" story arc but there wasn't one. Pretty disappointed OP went this route. The golden rule is to always disclose the issue and wait for them to fix it before you publish. The only exception to this rule is if the company isn't acknowledging, responding, or communicating in any way. In that case you'd wait around three months, send a follow-up email warning them you'll publicly disclose the vulnerability, wait another three months, and then publish it.
> I checked on my laptop what other tables were ordering to get a quick vibe check of the place. I could've just looked around, but it felt cooler to do it on the laptop.
I think it would be great if you could go to a restaurant and they had this data available. Sure, some menus say "best seller!" but I don't believe them all the time. And tastes change, chefs, etc.
This is offline now. Can anyone do a recap of what was revealed without, without actually revealing whatever bad things were revealed.
Yes. It was an article from someone who went into a café which had a QR code based ordering system. After ordering through the system they decide to open their laptop and inspect/look at the API of the system (a system apparently used across India).
They realize that the whole API does not use authentication or authorization and start reverse engineering it/trying out various endpoints. They can then do things like ordering stuff for other tables, calculate earnings of restaurants, etc.
They probably took it down because they disclosed it publicly directly instead of contacting that QR code based ordering service provider (which I won't mention the name of).
Given that this is a substack which has a newsletter, this article has probably reached many people before being taken offline.
Nice find!
There's a problematic but not critical personal information leak, a mild business intelligence leak and that's about it.
> They could keep this script running for months, even years, creating awkward scenes and uncomfortable conversations at every restaurant across the country.
If that's about the worst thing you can actively do, then it's only about the data leak.
"Why were you at X when you told me you were at Y? And why did you order for 2 people? Why have you been going there for the last Z months?"
"By following the pattern of when you were there and what you ordered, I found the other person's details too"
In the EU the leak of the mobile number alone would be sufficient for this to count as a serious breach
Aren't phone numbers being leaked if you iterate over the tables?
Yeah, that's the PII leak.
No, that's the most inconvenience you can cause. There are worse things you can do: target specific people with spurious orders, cancel everything they order, or if you want add random items to every order, making the entire system useless.
people are underestimating the havoc this could create in a country like India. Imagine serving chicken at a table that is strictly vegetarian (many people in India are vegetarian due to religious reasons), will lead to a lot of outrage.
This could even be lethal if you are ordering something you know the target is allergic to...
Who says there was no security, indeed there was security by obscurity!
The other day I used one of these "order with QR" things for the first time. I ordered nachos and they brought me a fish! Curse you peabee!
My man’s got a legal notice out against him
https://archive.ph/Z7eIg
A glaring example of how convenience can often come at the expense of privacy and security
Next up: "How I became a millionaire by consulting restaurants on Menu items and targeted Text Message Ads" ...
Seriously, its a PII leak and it should be reported. And since you said Google is an investor someone (theoretically) should care.
I looked around to find a security contact at DotPe, and couldn’t find anything. Hopefully, this HN post raises enough alarms.
The website really seems to follow Google's best practices on human interaction: hide as much as possible.
If it wasn't so sad, it would be almost funny that their Terms & Conditions page errors out (for me). The whole page looks pretty broken and like the landingpage is an afterthought...
Anyways, the closest to a contact us is this what I found (after looking for 15 seconds and randomly clicking links) https://dotpe.in/contact-us.html maybe that helps to get in touch at least...
The fastest way to get in contact with DotPe would be to contact their biggest customer and informing them of this. They'd be on the phone with DotPe within an hour.
Good thing the APIs can be used to easily identify that company. /s
It returns "Page not found"
> Armed with my two-week free trial of Cursor IDE,
Makes this blog post sound like an advert for whatever this product is.
Maybe the next big app for AI is to analyze web pages and scrub this crap out of otherwise decent articles.
I think it was a sarcastic way to stress how low effort the whole endeavour required.
Author has removed the article.
404 Not Found
From the title, I thought this was going to be about a very big QR code (presumably with a comically long URL).
Looks like the article was deleted and purged from archive.org. I wonder if anyone saved a copy elsewhere?
From the comments it seems likely the author realized they may have accidentally committed a crime or at least done something that could cause real legal consequences for them and quickly destroyed the evidence. That's probably better than leaving it up but I'd wager it wouldn't protect them from any legal consequences publishing the article already made possible.
According to Twitter they removed it due to a legal notice from Dotpe, author still seems to believe he was just accessing public data unfortunately which does not look good for him should Dotpe choose to take it further
It's still there on archive.org https://web.archive.org/web/20240923053856/https://peabee.su...
Page not found?
finally someone woke up and secured
India today picked up: https://www.indiatoday.in/business/story/dotpe-security-laps...
IndiaToday not doing this guy a favor using the word "hacker". Top bullet point: "Hackers accessed sensitive data...". Even the graphic at the top says "SYSTEM HACKED".
Yes, agree. at the same time, the company bears significant responsibility under the law. Their unconventional and insecure API implementation likely violates multiple provisions of the Act. They could face substantial penalties and legal consequences for failing to adequately protect personal data and implement appropriate security measures.
A zero-click exploit targetting big tech web engines (blink|geeko/webkit).
Well, this certainly is an interesting case of the abuse of servers to abuse servers. It’s almost teaching recursion.
Please no one write that random script… f*king up high cash flow but ultimately usually pretty low margin businesses like these, while also pushing the poor staff around in a way that costs them time and very likely wages is really, really, really bad karma.
this is fun because i can confidently say, "bureaucracy" runs on adverts. Whatever flashy, big banner photo op you can find, people lap that up. why? because of the immense population of india. EVERYTHING works here.
You can spend countless hours trying to break your application, finding holes but who cares.
Police cares about financial fraud. Did someone clickbait you into swindling money from you? well they will pounce on it because they will extract their cut from all involved and it gives them nice PR on the daily newspaper.
PII fraud or vulnerability, eh well. whose gonna notice? we have enough on our plates.
second thing. whatever government is doing, they protect themselves at all costs. they WILL throw you under the bus if it protects their interests.
why? because of the massive population, jobs are scarce, people get college degrees and stuff to pad up their resumes because employers, govt or private REQUIRE documentary evidence you did something. doesn't matter your skills,y ou have the papers or not.
this dotpe company, whatever its doing is indicative of the systemic problems in india. You have lots of people, lots of smart people, lots of dumb people and in the long run, bigger, cheaper, faster. that's all that matters
Scummy article to be honest. Also good reminder to not fill in your phone number online, ever.
A better way would be to note down scammers numbers then fill those in instead.