Multiple popular Turkish food delivery services route their orders through a service provider that does not care much about privacy. Up until now, the company has been leaking sensitive customer information with each incoming order. Attackers can target both restaurants and their clients.
On January 24th, 2024, the Cybernews research team discovered a public-facing data-brokerage platform operated by Paketle Lojistik Hizmetleri and used by popular Turkish food delivery services to route orders. The platform was built with multiple instances of Kafka, an open-source distributed streaming platform serving as a centralized hub.
No authentication is required to access the system, and it’s currently a fountain spraying jets of personal data.
“Each time a new order comes, any outsider can find out sensitive customer information, such as names, home addresses, phone numbers, email addresses, order details, IP addresses, and some authentication tokens,” our researchers said.
The leaking data is exclusive to Turkey and contains personal information from orders made using these food and grocery delivery services. Most of the popular Turkish food delivery services appear to use this platform.
Researchers were able to find orders placed through these food delivery apps:
- Getir, with 4.8M monthly website visitors and 10M+ downloads on Google Play
- Yemek Sepeti, also with 4.8M monthly website visitors and 10M+ downloads on Google Play
- Migros, 184K monthly website visitors, 10M+ downloads on Google Play
- Trendyol, 27K website monthly visitors, 1M+ downloads on Google Play
- Other category names in the leak include Çağrı Merkezi, Manuel, Paket, Şube, and others.
Paketle appears to be a software and service integration provider that allows restaurants to align their systems with many food delivery apps and courier services.
“These instances belonged to a restaurant integration provider, allowing restaurants to receive orders placed on popular food delivery services, therefore affecting the users of these food delivery apps,” the Cybernews research team explained.
The Cybernews research team emailed the company eight times in total between January 25th and March 4th to disclose that anyone could connect to its Kafka instances and access the transferred consumer information. However, the firm does not seem too concerned. The Kafka instances were accessible on the day of writing.
Additionally, researchers disclosed the incident to the authorities in Turkey, including the local computer emergency response team. Paketle did not respond to the inquiry to comment on the incident.
Attackers may have collected millions of records
Kafka is not normally used as a traditional database but as a real-time data processing system, which streamlines interactions between various internal and external systems and components, such as producers, consumers, and brokers.
On the date of the investigation, the discovered Kafka instances stored order data for the last ten days, with new orders being transmitted every minute. This information included 84 thousand individual orders.
“An attacker could continue listening into these transmissions for a prolonged period of time in order to collect a larger amount of sensitive user data,” researchers explain.
According to the public indexing services, these Kafka instances have been publicly accessible for over a year now. Malicious actors can access orders placed through the platform in real-time. Theoretically, an attacker could have accessed over 3 million unique orders in the time these instances were left publicly accessible.
With access to the system, malicious actors can maintain persistence and continue receiving data on new orders for a prolonged period of time.
“This vulnerability poses a severe threat to the online and physical security of customers using Turkey's most popular food delivery services. Attackers, having real-time access, could steal orders, arrive at a customer’s home pretending to be a courier, or perform time-sensitive phishing attacks. People expecting a delivery soon are more willing to engage with a phishing message,” our researchers said.
The leaked information could also be used for phishing, spam, identity theft, doxxing, and other common cybercrimes.
Restaurants are not safe, either. Malicious actors could potentially set up instances and send their own data through the integrated systems. Attackers might be able to create fake orders, obtain food and other products for free, or create havoc in the systems.
“The leaking web requests also included API routes and authentication tokens, allowing the attackers to connect and query the API directly. The API is publicly accessible. There’s no need to be on a specific network to access it,” the Cybernews research team noted.
The full palette of risks also includes financial damages, harm to the companies’ reputations and relations with partners, and legal risks.
Negligence
The Cybernews research team believes that the third-party service provider is responsible for this leak.
“Such systems should not be left exposed to the public with broken access control or any authentication at all, as in this case. Enabling authentication and configuring IP whitelisting are the first steps to ensure that the system can only be accessed from a trusted network,” researchers concluded.
Other recommendations include using SSL/TLS encryption and implementing monitoring and logging mechanisms to detect and respond to any suspicious unauthorized activity.
Your email address will not be published. Required fields are markedmarked