Comment by alex43578
19 hours ago
That’s such a benign vulnerability that it doesn’t even feel like one. Per your description, the worst thing an attacker can do is see the food ordered to a check number (in a public restaurant) and pay a bill that isn’t their own?
On the flip side, some services go absolutely overboard trying to secure low-blast-radius things, or don’t properly scale security to the risk of an activity. I have a service provider that requires an absurd login flow for their website, continually trying to force passkeys, short session timeouts, etc; when the worst an unauthorized attacker could do is pay my bill (the horror!).
> That’s such a benign vulnerability that it doesn’t even feel like one.
You could farm the data to see how the shop is doing.
It's not benign. An attacker could surf multiple IDs until they find one lowrr than their own and pay it instead. It's a viable attack. If the store disputes it, you can demonstrate that you paid and produce a receipt.
Enumeration vulns are very serious, it’s just luck that this one appeared to be low risk.
A competitor of the restaurant could see everything that was ordered that night. Pretty serious imo.
Or profile the customers of every business, by changing both IDs.
But that’s my point: not all risks are the same. A cache issue that serves you someone else’s crossword puzzle is an inconvenience, but a cache issue that serves you someone’s credit report is way worse.
But what does it say about the payment app if it doesn't bother to secure the low hanging fruit?
If you had a large stock of stolen CCs you could use this to pay a buck or two on everyone's bill and verify that the cards are valid.
Eh, there could be privacy implications. E.g. you see someone in the restaurant whom you know, and you know he is not supposed to be drinking alcohol (for whatever reason: maybe his religion forbids it, maybe there's a medical reason for it such as a prescription drug he's on that really should not be mixed with alcohol, the reason doesn't really matter in this example). You see that he was served a pork chop with a side salad, so you scan through the check numbers and find out that only one order contained a pork chop and a side salad that day, and that order also included a glass of red wine. Congratulations, you have spied on your acquaintance and obtained potential blackmail material on him. What will you do with it? How good or evil a person are you?
And although that's a low-probability scenario, it's also something that could be solved pretty easily, by either using a GUID or at least random numeric IDs with 8 digits.
I don't think you've got an expectation of privacy when it comes to what you're eating in a restaurant. You could just walk over to their table.
Isn’t it way easier and way more damaging to just take a photo of him? Receipts aren’t even associated by name unless you’re picking up food.
True; a more realistic scenario would have to include "covert surveillance" (where you don't want to let him know you're watching), and even there I'm not sure much could be gleaned about any individual. In theory you could use that to build up a picture of someone's habits, in practice other techniques are better. Though... you could use that to spy on the store, actually. If you're a tax auditor making sure they aren't underreporting their sales, that could be useful.
But yeah, any idea I come up with to exploit that is always a bit of a stretch.
1 reply →
And before someone comments about the hypothetical religious person eating pork, I was actually thinking of a Mormon acquaintance of mine when I wrote that. Mormons are not supposed to drink alcohol, but pork is perfectly okay. If you were thinking of some other religion that forbids both alcohol and pork, well, that's not what I was thinking about.
Why should we be protecting hypocrisy though?
Living in a nation where ones religion gives you protection under the law and allows you to do things others can't, I don't think you can defend covering up instances of people not living up to the standards they themselves set, and therefore give them special privileges.
How is it different to a police officer doing something slightly illegal. Should we respect their privacy or should we hold them to the high standards they supposedly hold?
I mean I cloud just go over there and see it.
Normally I've not seen any bill that includes the identity of the customer, so it can't be even used as proof.