News article: https://www.msn.com/en-in/money/news/google-backed-dotpe-s-apis-expose-sensitive-data/ar-AA1ra3xx

This startup provides a shitty digital menu for restaurants. You scan a qr code that takes you to a terrible website where you submit your order. Once its ready the waiter brings it to you.

Someone opened their ordering webpage on a PC and looked at the API calls being made using their browser’s dev tools. Turns out the entire API is public. This person was able to order on behalf of another table and view records of all the sales that took place at the restaurant.

The funniest thing is, instead of disclosing this to DotPe, the person instead wrote a blog post and posted it on Hacker News for the updoots. While describing this situation as a “vulnerability” feels extremely charitable, I think he should have covered his bases to avoid lawsuits.