Discovering a security vulnerability in a major grocery delivery platform

1M order exposed and 200k customer and workers data exposed just because an AuthKey is allowed to query all customer data instead of user specific data.<p>this means most likely a junior developer built this service, and on top graphQL is used which is built relational first &#x2F; security is one step away.<p>it sucks that companies grow fast in the tech scene, try to make their wealth using technology without really understanding it.

I worked for a bunch of startups and I&#x27;m not surprised by this.<p>Nobody really cares. Security isn&#x27;t a topic ever.<p>Founders pay you VC money to fly across the country to talk for days about UI wireframes, but nobody ever cares about where or how you store data.

&gt; When will the industry finally learn?!<p>Never. There are too many people using too many technologies with too many deadlines and constant turnover. It will always be possible to find a service with simple vulnerabilities.

I also find it just fascinating, that anyone would pump hundreds of millions in a service which is a copycat anyhow and doesn&#x27;t even own the IP on the only thing that could potentially differentiate them from their competitors.<p>I mean, hiring desperate people and students to make deliveries in a couple if cities at a loss seems not to be the greatest feat. Services like Uber at least have some tech in-house which is mildly innovative. But this is just pathetic.

Personally I don&#x27;t care about these data breaches anymore. My:<p>- full name, date of birth and email have been leaked by multiple websites;<p>- phone number was leaked by Facebook (added it for 2FA many years ago);<p>- address information can be found in the public database of the Chamber of Commerce.<p>That doesn&#x27;t make negligence okay, but at least Gorillas and Flink both gave me a €15 discount on my groceries in return.

Zerforschung is funny, if you want a fun ride read this about &quot;making photobooks out of your personal messages&quot;:<p><a href="https:&#x2F;&#x2F;zerforschung.org&#x2F;posts&#x2F;zapptales&#x2F;" rel="nofollow">https:&#x2F;&#x2F;zerforschung.org&#x2F;posts&#x2F;zapptales&#x2F;</a><p>What could go wrong? Everything.

&gt; The tenantConfig however can be accessed without any restrictions. And the information delivered there is quite interesting: API keys and URLs for various services that are apparently used by the Gorillas&#x2F;eddress infrastructure. Among them we found API keys for Sendgrid and Slack webhook URLs.<p>Unreal.

Building applications is a complex problem. If you want a secure system, then security details have to be carefully considered at every layer (DB, API, front-end). Doing that requires expert security employees&#x2F;consultants, time and money. On the other hand, profits are driven by new features, first to market and sales.<p>Companies can build insecure systems (that are profitable) much faster and much cheaper than they can build systems that are profitable <i>and</i> secure.<p>It has been my experience that security is seen as a <i>necessary evil</i>. It&#x27;s not seen as a benefit or feature that customers want. Security employees&#x2F;consultants are often seen as road-blocks or obstructionists. I think this is largely why technical security has been replaced by compliance. Just check the box mentality. When they get hacked they can say, <i>&quot;but we were compliant and we&#x27;ll do better next time&quot;</i>.<p>IMPO, that basic conflict explains why systems are repeatedly compromised and why companies nor customers really care about good technical security.

zerforschung.org does an amazing job!<p>They have also recently analyzed Djokovic&#x27;s test certificate: <a href="https:&#x2F;&#x2F;zerforschung.org&#x2F;posts&#x2F;djokovic-pcr-test-en&#x2F;" rel="nofollow">https:&#x2F;&#x2F;zerforschung.org&#x2F;posts&#x2F;djokovic-pcr-test-en&#x2F;</a><p>Stuff like that is super interesting. I love this investigative journalism. Another one I find captivating is: <a href="https:&#x2F;&#x2F;www.bellingcat.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bellingcat.com&#x2F;</a>

The most basic mistakes were made here.

Ugh. This inspired me to check the B2B application I&#x27;m responsible for as a manager. Guess what I found:<p>&lt;input type=&quot;hidden&quot; name=&quot;userId&quot; value =&quot;{{session.userId}}&quot;&gt;<p>I&#x27;m sure you can guess what it&#x27;s used for and what it&#x27;s <i>not</i> compared against.

Different topic<p>&gt; Gorillas has experienced extreme growth in recent weeks and also raised another absurd 290 million US dollars in venture capital<p>it does not seem absurd considering the current market valuations of online retailers.

&gt; The API key of Gorillas for 100 of these so-called “scopes”, the one of Liban Post for more than 200<p>How did they check the scopes? Did they use these API keys to make requests? Would that be legal?

That article is from October 2021