0 2.6K

Dotpe API Security Breach

Categories: Business Security
Dotpe API Security Breach

Indian startup Dotpe, which raised ~$100M to build point-of-sale systems for restaurants, left their entire API fully public.

Originally First user who found the issue already removed the post, due legal request from the company:

pea bee

But you can find the post in the web archive.

We try to find out what happens and here is the most important highlights from Pea Bee post:

I opened my browser's dev tools to inspect the API requests - they looked OK. A request to get details of the cafe, a request to get all the items on the menu, a request to check if the store is running any promotional offers - just the usual stuff. Then I saw a couple of interesting requests:

/api/morder/suggestion/ongoing/items?storeID=XXXX
/api/morder/suggestion/items/purchase/history?merchantID=YYYY&storeID=XXXX

The first request listed the food items currently ordered at the cafe. The second returned how many times each item was ordered in the past month.

The coffee I had ordered showed up on the list of ongoing items. I looked around the cafe and noticed other food on tables matched items on the list too. This information should be for the cafe's admin staff only, so why can I see it?

The purchase history API provided a count of each food item ordered over the past month. The menu API gave the price of each food item. So I wrote a small script to calculate the cafe's dine-in revenue for the last month.

Dotpe

Are there other unauthenticated APIs leaking important information? There are so many. For example:

/api/morder/suggestion/items/past-fav?storeID=XXXX&merchantID=YYYY&phone=9999999999

This returned my previous orders at this cafe. They probably use this data to show my past orders in the menu for reordering. Similar to what Swiggy or Zomato do. It is an understandable use case. But I changed the mobile number to my friend's, who had been to the cafe before, and I could see their past food orders too. That's not good!

Here is another example:

/api/morder/fd/table/state?storeID=XXXX&tableID=TT

This one returned my name, mobile number, a numeric order ID, and an order hash ID of the order I had placed on my table. Standard stuff.

But then I changed the table ID which was just a number (01) to the table ID (02) of the guy sitting across from me. I could see his name, mobile number, and order details. From the order ID hash, I could now also see what items he had ordered and what his bill was. From the mobile number, I could see all the food he had ever ordered in this cafe. I felt dirty that I knew that this stranger across the table had ordered Oat Milk Iced Vanilla Latte 18 times in this cafe.

37,529 restaurants use Dotpe for QR codes. This includes big chains like Starbucks, Pizza Hut, Haldiram's, Social, Barista, and Paradise Biryani. Of these, 2,052 are either closed, defunct, or used as internal test or dummy restaurants. From my analysis, they currently have 10,866 operational dine-in restaurants.

Now that COVID restrictions are no longer in place, it appears that restaurant chains such as Starbucks, Pizza Hut, and Barista have abandoned Dotpe's QR code services. Last month's purchase history data for these brands showed only a very few items. In fact, only 1,314 restaurants had a food item ordered in the last month.

On the other hand, a few restaurant chains have embraced Dotpe's platform in a huge way. Two notable examples are The Social and Paradise Biryani.

The Social's data is especially interesting. Their order numbers are mind-boggling. Most of their pubs across the country are doing incredible business. There are 53 operational Social pubs in the country.

I wrote a little script to calculate their earnings from all their pubs. And here is the data:

heir order numbers are mind-boggling

Of course, it depends on the accuracy of Dotpe's data, but they're making some 18.3 crores from their dine-in business. Which would make it more than 200 crores a year. That's a lot of money! I still can’t believe I’m allowed to see this!

I noticed a fun difference between top-selling items in various Socials. Typically, Nachos are the bestseller in most Socials, but in most North Indian Social branches, "Banarasi Patiala with Vodka" is almost always the top-selling item. Make of this what you will.

Here is a list of top-selling item at each Social:

Here is a list of top-selling item at each Social:

I need to speak about one more API endpoint:

/api/morder/fd/table/state?storeID=XXXX&tableID=TT&OrderID=OOOO

I found that for any live order on a table, if I changed the order ID (again a numeric ID 🤷‍♂️), I could get details of any order made anywhere in India, including all historical records. I could retrieve orders going as far back as 2021.

This means I could run a simple loop and access all food orders ever made via Dotpe. If you ever went to a restaurant and scanned a QR code that opened Dotpe's website, I can see what you ordered and how you paid.

I could then extract these orders by mobile numbers. I could use easily available leaked personal data about you to collate and consolidate more information about you. I can think of one or two companies that would be interested in this data. I'd be surprised if Dotpe isn't already selling this data to third parties.

I would have thought about privately disclosing these findings to Dotpe. But all the API requests are right there in plain sight for anyone at Dotpe taking even a cursory look at their own websites. I refuse to believe they’re unaware of this. This doesn’t feel like an oversight, it's either a deliberate design decision or they just don't care.

The text was taken from the removed Pea Bee Article.

Update: Currently the dotpe patch their API and most of them return 403, but some of them, for example still return data.

Comments:

Please log in to be able add comments.