Comment by zenpe

This reminds me of how often "digital transformation" in hospitality introduces naive security architectures. ID enumeration vulnerabilities on restaurant QR codes are surprisingly common because these systems are often rushed to market by low-cost agencies.

While some might argue it's a "low-blast-radius" bug because an attacker can only view orders or pay someone else's bill, the data privacy implications are massive. Scraping that endpoint allows anyone to profile the restaurant's entire customer base, revenue flow, or busy hours. It's the classic side effect of replacing a robust human process with a poorly audited software layer.