August 7, 2023

Disclosure: Fast Food Delivery Service

Our team occasionally scans APIs for various customer and research purposes, or in connection with a specific request. As we do this, we sometimes find vulnerabilities from third-party organizations. This article is part of an ongoing series of posts following some API vulnerabilities FireTail researchers have uncovered in the process…

An unauthenticated API belonging to a fast food company exposed receipts from all of its stores in India. Delivery receipts included PII such as full names, phone numbers, and physical addresses.

The fast food company uses an e-receipt system. The vulnerability was lying in the way the login panel was functioning, resulting in authentication bypass.

This resulted in exposing API endpoints which could be requested without authentication to get the receipts of hundreds of stores in India. Many of those receipts were delivery receipts that contained PII such as full names, phone numbers and physical addresses.

The issue was reported on August 07, 2023 and it seems now fixed.

Lina Romero

Viktor Markopoulos

Security Researcher

Browse all posts

October 22, 2024

FireTail Joins Wiz Integration (WIN) Platform

Technology Partnership Enables Mutual Customers to Reduce Cloud Risk and Enhance API Security



October 16, 2024

Disclosure: Multiple Vulnerabilities in Granicus eFiling Platform

Granicus, a platform offering government solutions including an efiling platform called eUniversa, was recently discovered to be vulnerable to outside attack.



October 16, 2024

Star Health Data Leak: The Call is Coming from Inside the House

Star Health suffered a massive data leak via API access. The personal information of millions of victims has been compromised, and worst of all, there may have been an insider who facilitated the breach.

