Tyler Cross
Published on: June 12, 2024
A service provider used by multiple Turkish food delivery services was found to have a gaping vulnerability that leaked customer data each time an order was placed.
“Each time a new order comes, any outsider can find out sensitive customer information, such as names, home addresses, phone numbers, email addresses, order details, IP addresses, and some authentication tokens,” said the Cybernews research team.
Anyone who found the breach could see every aspect of the orders you placed. Making matters worse, the vulnerability has been live for more than a full year now. If even a single threat actor found the leaks before researchers, they could have theoretically obtained more than three million people’s records.
The leak in question didn’t appear to researchers to be caused by a sophisticated attack, but rather by negligence on the side of the service provider, Kafka.
“Such systems should not be left exposed to the public with broken access control or any authentication at all, as in this case. Enabling authentication and configuring IP whitelisting are the first steps to ensure that the system can only be accessed from a trusted network,” they explain.
Researchers discovered the leak in January and emailed the company on eight separate occasions since then, however, at the time of writing this the company has neither responded nor addressed the issue.
While a data leak can happen, it should never happen because a company refuses to take basic security precautions, such as authenticating administrative access to its data records. As it stands, hackers could use the stolen information for phishing scams, doxxing, identity theft, and more.
Multiple companies are affected by the service providers’ leaks, including food delivery apps with 10-plus million downloads.
Gemir and Yemek Sepeti are the largest affected companies, both seeing approximately 4.8 million monthly website visitors. Migros, another service with more than 10 million downloads, sees 184K monthly visitors.
Other businesses that were found to have data being leaked by Kafka include Trendyol, Manuel, Çağrı Merkezi, Sube, and Paket.
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
- Source: https://www.safetydetectives.com/news/hackers-target-turkish-kebab-businesses/
