Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
alex43578 5 hours ago

That’s such a benign vulnerability that it doesn’t even feel like one. Per your description, the worst thing an attacker can do is see the food ordered to a check number (in a public restaurant) and pay a bill that isn’t their own?

On the flip side, some services go absolutely overboard trying to secure low-blast-radius things, or don’t properly scale security to the risk of an activity. I have a service provider that requires an absurd login flow for their website, continually trying to force passkeys, short session timeouts, etc; when the worst an unauthorized attacker could do is pay my bill (the horror!).

EagnaIonat 20 minutes ago | parent | next [-]

> That’s such a benign vulnerability that it doesn’t even feel like one.

You could farm the data to see how the shop is doing.

f17428d27584 2 hours ago | parent | prev | next [-]

Enumeration vulns are very serious, it’s just luck that this one appeared to be low risk.

swader999 2 hours ago | parent | next [-]

A competitor of the restaurant could see everything that was ordered that night. Pretty serious imo.

zmgsabst 2 hours ago | parent [-]

Or profile the customers of every business, by changing both IDs.

alex43578 an hour ago | parent | prev [-]

But that’s my point: not all risks are the same. A cache issue that serves you someone else’s crossword puzzle is an inconvenience, but a cache issue that serves you someone’s credit report is way worse.

Eisenstein 27 minutes ago | parent [-]

But what does it say about the payment app if it doesn't bother to secure the low hanging fruit?

rmunn 3 hours ago | parent | prev [-]

Eh, there could be privacy implications. E.g. you see someone in the restaurant whom you know, and you know he is not supposed to be drinking alcohol (for whatever reason: maybe his religion forbids it, maybe there's a medical reason for it such as a prescription drug he's on that really should not be mixed with alcohol, the reason doesn't really matter in this example). You see that he was served a pork chop with a side salad, so you scan through the check numbers and find out that only one order contained a pork chop and a side salad that day, and that order also included a glass of red wine. Congratulations, you have spied on your acquaintance and obtained potential blackmail material on him. What will you do with it? How good or evil a person are you?

And although that's a low-probability scenario, it's also something that could be solved pretty easily, by either using a GUID or at least random numeric IDs with 8 digits.

alex43578 an hour ago | parent | next [-]

Isn’t it way easier and way more damaging to just take a photo of him? Receipts aren’t even associated by name unless you’re picking up food.

rmunn an hour ago | parent [-]

True; a more realistic scenario would have to include "covert surveillance" (where you don't want to let him know you're watching), and even there I'm not sure much could be gleaned about any individual. In theory you could use that to build up a picture of someone's habits, in practice other techniques are better. Though... you could use that to spy on the store, actually. If you're a tax auditor making sure they aren't underreporting their sales, that could be useful.

But yeah, any idea I come up with to exploit that is always a bit of a stretch.

rmunn 3 hours ago | parent | prev | next [-]

And before someone comments about the hypothetical religious person eating pork, I was actually thinking of a Mormon acquaintance of mine when I wrote that. Mormons are not supposed to drink alcohol, but pork is perfectly okay. If you were thinking of some other religion that forbids both alcohol and pork, well, that's not what I was thinking about.

el_io 2 hours ago | parent | prev [-]

I mean I cloud just go over there and see it.

Normally I've not seen any bill that includes the identity of the customer, so it can't be even used as proof.