An X user posted a detailed blog of his interaction with DotPe's APIs while placing orders in a restaurant and said he was able to access information of the restaurants to which the startup provides services
The blog post was taken down after DotPe intervened, but it initiated a debate online cybersecurity and other measures startups and companies need to take amid the increasing digitisation
DotPe said that a ‘human error’ led to the APIs remaining open and the error was rectified. It also said that it would enhance security across its entire product suite in the coming days
Amid an increase in cybersecurity-related incidents in India, Gurugram-based payments and commerce platform DotPe found itself in the middle of a public outcry this week over its lax cybersecurity guardrails.
On September 22, an X user named ‘Pea Bee’ posted a detailed blog of his interaction with DotPe’s APIs while placing an order at a restaurant to which the startup provides services. The post, which was taken down after DotPe intervened, raised serious concerns about leaks of personally identifiable information (PII), thanks to the completely open APIs published by the platform.
For instance, scanning a QR code in a DotPe partner restaurant enabled ‘Pea Bee’ to not only place orders for himself but also for other individuals at the restaurant. Besides this, sensitive information such as mobile numbers, order history and frequency of visits were also easily available through the APIs.
Besides these details, the individual was able to access the order history for the outlet, as well as the monthly revenue for each of the restaurant’s locations across India.
“This is just one cafe. DotPe has thousands of dine-in restaurants across India. Can see what everyone in India is currently eating in real-time at all restaurants?… Surely their merchants won’t appreciate a random online person lurking around accessing their monthly sales figures,” his post on substack read.
Founded by Gyanesh Sharma, Anurag Gupta and Shailaz Nag in 2019, DotPe offers payment services to offline and online enterprises. It also helps offline enterprises go online and provides order management services.It counts the likes of Ola, Burger Singh, Spicelab, Barista, Social, Wat-a-Burger as its clients. Besides, it claims that its services are used by over 7.5 Mn merchants globally.
The startup has raised over $93.5 Mn in funding since inception. It is backed by the likes of Google, Temasek, Info Edge Ventures, PayU, among others.
While the post was deleted, it picked up steam soon on social media platforms, and several others began digging into DotPe’s APIs to find other details. One user on X posted a list of the top-selling items at each restaurant of the SOCIAL chain.
In response to the seeming security lapse, a DotPe spokesperson told Inc42 that it was a ‘human error’ that led to the APIs remaining open and accessible by anyone who wanted to dig around.
The startup acknowledged the issue and said that a few of its API calls are intentionally kept open for easy access to information such as store ID, menu details, item prices, most ordered items and more.
“The said error was promptly rectified upon discovery. Our other product offerings & databases remain unaffected. We prioritise merchant data security and have already implemented stronger measures in response. Over the coming weeks, we will further enhance security across our entire product suite. Protecting our merchants and their data remains our top priority, and we are committed to the highest standards of security and trust,” the spokesperson added.
When we looked at the APIs, we were able to see store IDs of the restaurant chain SOCIAL. However, order details, history, and top orders weren’t visible, which indicates that DotPe has plugged the leak.
APIs allow systems to communicate with each other and are vital for tech companies to facilitate transactions and other activities on the vendor or customer side.
Prabh Nair, program director of cybersecurity consulting firm Azpirantz Technologies, told Inc42 that in the case of DotPe, critical APIs were accessible without proper authentication. So anyone with knowledge of the endpoints could retrieve ongoing orders and historical purchase data, which is a privacy nightmare.
“In this case, the data that is communicated to the vendor side to the financial institutions was left open to access. Thus, APIs returned personal information like names, mobile numbers, order IDs, and order histories without any access controls,” he said.
Nair added that the absence of rate limiting allows attackers to perform automated scripts to scrape large amounts of data without triggering any security mechanisms.
The information left open could be misused for mass targeting or other nefarious acts. The ability to remotely place orders without verification, for instance, could lead to revenue and food wastage for restaurants.
Others such as Indusface founder and CEO Ashish Tandon believe that the onus for ensuring platform security is completely on DotPe.
“‘I believe the risk assessment checks weren’t done comprehensively. The data shouldn’t have been so easily accessible. If the intent of the whistleblower was malicious, it could have been a graver issue. While issues for users might be minimum, the data leak is more critical for vendors like SOCIAL,” he said.
The revelations around the Google-backed startup comes amid mounting concerns over cybersecurity-related issues for fintech platforms. One of the biggest such incidents in recent times was the crypto heist at WazirX, where users of the crypto platform lost $230 Mn to hackers.
Over the past few years, lapses in cybersecurity have also led to data breach at fintech platform Juspay in 2021, where the data of 10 Cr users was compromised. Mobikwik, in the same year, was the target of a breach which is said to have affected over 100 Mn users.