In a restaurant a year ago with "pay via your phone" service. Server gave us a receipt w/ a QR code. I scanned the code, copied the URL to my clipboard, and looked it over. There was a base64 blob on the URL. I decoded it (because Termux and I'm a nerd) and saw obvious parameters I could fuzz. I changed the check ID (incremented it), left the store ID alone, re-encoded it, and found I could access somebody else's check. Not a super exciting vulnerability (since all I could do was see what they ordered and pay their check) but I thought it was still pretty rotten that I could even do that.
On the flip side, some services go absolutely overboard trying to secure low-blast-radius things, or don’t properly scale security to the risk of an activity. I have a service provider that requires an absurd login flow for their website, continually trying to force passkeys, short session timeouts, etc; when the worst an unauthorized attacker could do is pay my bill (the horror!).
You could farm the data to see how the shop is doing.
And although that's a low-probability scenario, it's also something that could be solved pretty easily, by either using a GUID or at least random numeric IDs with 8 digits.
Living in a nation where ones religion gives you protection under the law and allows you to do things others can't, I don't think you can defend covering up instances of people not living up to the standards they themselves set, and therefore give them special privileges.
How is it different to a police officer doing something slightly illegal. Should we respect their privacy or should we hold them to the high standards they supposedly hold?
Normally I've not seen any bill that includes the identity of the customer, so it can't be even used as proof.
I notified them and they said that this was noted, skipped, and they didn't believe it was an issue. Worst case scenario an attacker could... Pay for someone elses order, if this happened the attacker would be found by their payment details. Likewise on the payment screen they only see the order's total, nothing about the customer, nothing else about the order, just the total. So - I'm not sure. Maybe they're right?
I just shrugged. I would've patched it, feels like poor design and is easy enough to fix - but I couldn't really argue other than to say it felt sloppy.
While some might argue it's a "low-blast-radius" bug because an attacker can only view orders or pay someone else's bill, the data privacy implications are massive. Scraping that endpoint allows anyone to profile the restaurant's entire customer base, revenue flow, or busy hours. It's the classic side effect of replacing a robust human process with a poorly audited software layer.
