How Google-Backed DotPe’s ‘Human Error’ Exposed Confidential Customer Data

How Google-Backed DotPe’s ‘Human Error’ Exposed Confidential Customer Data

SUMMARY

An X user posted a detailed blog of his interaction with DotPe's APIs while placing orders in a restaurant and said he was able to access information of the restaurants to which the startup provides services

The blog post was taken down after DotPe intervened, but it initiated a debate online cybersecurity and other measures startups and companies need to take amid the increasing digitisation

DotPe said that a ‘human error’ led to the APIs remaining open and the error was rectified. It also said that it would enhance security across its entire product suite in the coming days

Amid an increase in cybersecurity-related incidents in India, Gurugram-based payments and commerce platform DotPe found itself in the middle of a public outcry this week over its lax cybersecurity guardrails.

On September 22, an X user named ‘Pea Bee’ posted a detailed blog of his interaction with DotPe’s APIs while placing an order at a restaurant to which the startup provides services. The post, which was taken down after DotPe intervened, raised serious concerns about leaks of personally identifiable information (PII), thanks to the completely open APIs published by the platform. 

For instance, scanning a QR code in a DotPe partner restaurant enabled ‘Pea Bee’ to not only place orders for himself but also for other individuals at the restaurant. Besides this, sensitive information such as mobile numbers, order history and frequency of visits were also easily available through the APIs. 

Besides these details, the individual was able to access the order history for the outlet, as well as the monthly revenue for each of the restaurant’s locations across India.

“This is just one cafe. DotPe has thousands of dine-in restaurants across India. Can see what everyone in India is currently eating in real-time at all restaurants?… Surely their merchants won’t appreciate a random online person lurking around accessing their monthly sales figures,” his post on substack read.

How Google-Backed DotPe’s ‘Human Error’ Exposed Confidential Customer Data

Founded by Gyanesh Sharma, Anurag Gupta and Shailaz Nag in 2019, DotPe offers payment services to offline and online enterprises. It also helps offline enterprises go online and provides order management services.It counts the likes of Ola, Burger Singh, Spicelab, Barista, Social, Wat-a-Burger as its clients. Besides, it claims that its services are used by over 7.5 Mn merchants globally.

The startup has raised over $93.5 Mn in funding since inception. It is backed by the likes of Google, Temasek, Info Edge Ventures, PayU, among others. 

While the post was deleted, it picked up steam soon on social media platforms, and several others began digging into DotPe’s APIs to find other details. One user on X posted a list of the top-selling items at each restaurant of the SOCIAL chain. 

In response to the seeming security lapse, a DotPe spokesperson told Inc42 that it was a ‘human error’ that led to the APIs remaining open and accessible by anyone who wanted to dig around. 

The startup acknowledged the issue and said that a few of its API calls are intentionally kept open for easy access to information such as store ID, menu details, item prices, most ordered items and more. 

“The said error was promptly rectified upon discovery. Our other product offerings & databases remain unaffected. We prioritise merchant data security and have already implemented stronger measures in response. Over the coming weeks, we will further enhance security across our entire product suite. Protecting our merchants and their data remains our top priority, and we are committed to the highest standards of security and trust,” the spokesperson added. 

When we looked at the APIs, we were able to see store IDs of the restaurant chain SOCIAL. However, order details, history, and top orders weren’t visible, which indicates that DotPe has plugged the leak. 

APIs allow systems to communicate with each other and are vital for tech companies to facilitate transactions and other activities on the vendor or customer side. 

Prabh Nair, program director of cybersecurity consulting firm Azpirantz Technologies, told Inc42 that in the case of DotPe, critical APIs were accessible without proper authentication. So anyone with knowledge of the endpoints could retrieve ongoing orders and historical purchase data, which is a privacy nightmare. 

“In this case, the data that is communicated to the vendor side to the financial institutions was left open to access. Thus, APIs returned personal information like names, mobile numbers, order IDs, and order histories without any access controls,” he said. 

Nair added that the absence of rate limiting allows attackers to perform automated scripts to scrape large amounts of data without triggering any security mechanisms.

The information left open could be misused for mass targeting or other nefarious acts. The ability to remotely place orders without verification, for instance, could lead to revenue and food wastage for restaurants. 

Others such as Indusface founder and CEO Ashish Tandon believe that the onus for ensuring platform security is completely on DotPe.  

“‘I believe the risk assessment checks weren’t done comprehensively. The data shouldn’t have been so easily accessible. If the intent of the whistleblower was malicious, it could have been a graver issue. While issues for users might be minimum, the data leak is more critical for vendors like SOCIAL,” he said. 

The revelations around the Google-backed startup comes amid mounting concerns over cybersecurity-related issues for fintech platforms. One of the biggest such incidents in recent times was the crypto heist at WazirX, where users of the crypto platform lost $230 Mn to hackers. 

Over the past few years, lapses in cybersecurity have also led to data breach at fintech platform Juspay in 2021, where the data of 10 Cr users was compromised. Mobikwik, in the same year, was the target of a breach which is said to have affected over 100 Mn users.  

Step up your startup journey with BHASKAR! From resources to networking, BHASKAR connects Indian innovators with everything they need to succeed. Join today to access a platform built for innovation, growth, and community.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

How Google-Backed DotPe’s ‘Human Error’ Exposed Confidential Customer Data-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

How Google-Backed DotPe’s ‘Human Error’ Exposed Confidential Customer Data-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

How Google-Backed DotPe’s ‘Human Error’ Exposed Confidential Customer Data-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

How Google-Backed DotPe’s ‘Human Error’ Exposed Confidential Customer Data-Inc42 Media
How Google-Backed DotPe’s ‘Human Error’ Exposed Confidential Customer Data-Inc42 Media
You’re in Good company