[HN Gopher] Tiffin Tom: Fish, chips and a side of identity theft
___________________________________________________________________
Tiffin Tom: Fish, chips and a side of identity theft
Author : varun_ch
Score : 107 points
Date : 2023-07-16 22:20 UTC (2 days ago)
(HTM) web link (paul.reviews)
(TXT) w3m dump (paul.reviews)
| srmarm wrote:
| That's shocking and a shame because the platform itself is a good
| idea and I'd much prefer to order directly from a restaurant than
| have up to 30% of my order value go to rent seekers like JustEat,
| Deliveroo or Uber Eats.
| refulgentis wrote:
| This is an excellent example of why free might ultimately be a
| bad price point for consumers as well
| wyldfire wrote:
| It's not deliberate for them doing this.
|
| But the real problem here is that the data they collect isn't
| seen as a liability. If anything, it's an asset. This externality
| means that forfeiting people's personal info costs them nothing
| or nearly nothing.
| [deleted]
| hayd wrote:
| There's a bunch of PII, but another issue is a hacker could:
| refund every payment, start billing random cards, or move money
| out of their account (this is probably a little more difficult,
| but they could certainly pay out to the businesses).
|
| Perhaps what they are used more is to start testing cards (we've
| had this attack happen to our production site on stripe's
| checkout.js... it'd be much easier if the attackers had our
| secret key)!
|
| Additionally... if their site is this trivially insecure it won't
| end here.
| fragmede wrote:
| Possibly. Stripe supports limited scope API keys called
| "restricted" that aren't allowed to eg refund payments, though
| they're not the default. I have no idea how many people are
| actually using them.
|
| https://stripe.com/docs/keys
| hayd wrote:
| I didn't know that, thanks, we should probably be using
| those...
|
| Unsurprisingly, this company isn't as (in screenshot) their
| key starts with sk_live_.
| intrasight wrote:
| Wow, just wow. I can't wonder how common such securing coding
| slip ups are these days.
| gorkish wrote:
| This isn't a 'coding slip up.' The original issue, as egregious
| and terrible as it is, could have been a a mistake. However,
| whoever implemented 'the fix' is someone acting acting with
| unforgivable malice and deceit.
|
| Anyway its on HN now. FAFO
| cced wrote:
| This is not a slip up-it's basically malpractice.
| heattemp99 wrote:
| Is it really malpractice if there are zero education
| requirements, going as far as purposely not calling it
| software engineering since there is zero standards for the
| 'engineering' being done.
| alexeldeib wrote:
| Perhaps not, but negligence and malpractice are different.
| Average joe can be negligent and legally liable (driving
| for example).
|
| No idea what the legal precedent for negligent software
| engineering would be...
| Kalium wrote:
| Assuming this is human-written, it only makes sense to me as
| something cooked up by someone who understands a bit of JS but
| sincerely has no clue how browsers work. A smart and ambitious,
| if somewhat incurious, junior engineer at work.
| [deleted]
| 3-cheese-sundae wrote:
| This doesn't strike me as a slip-up, it strikes me as complete
| apathy on behalf of the developer(s).
| throwaway4233 wrote:
| On inspecting the page where they list restaurants, I can see
| a several versions of jQuery code like this, for each
| cuisine.
|
| $('#Fish & Chips').on('change', function () {
| if ($('#Fish & Chips').is(':checked')) {
| $('.Fish & Chips').css('background-color', '#3a606e;');
| $('.Fish & Chips').css('color', '#fff;'); } else {
| $('.Fish & Chips').css('background-color', '#fff');
| $('.Fish & Chips').css('color', '#3a606e;'); }
|
| });
|
| I have a good feeling this is more of copy-pasta code from
| either Copilot or ChatGPT or StackOverflow. That also
| explains why they handled encryption the way described in the
| article.
|
| Dev: "Hey LLM, how do I pass data around in a secure way ?"
|
| Bot: "You can encrypt the data before you send it, so that
| only users who have the relevant keys can read them"
|
| Dev: "Hey LLM, it is not possible to access the data I have
| encrypted on the frontend"
|
| Bot: "Here is the javascript code to decrypt the data you
| have passed then"
| hk__2 wrote:
| This kind of code is very common among folks who learned JS
| using jQuery ten years ago and never tried to learn
| anything else since that time.
| lcnPylGDnU4H9OF wrote:
| "This is what you mean by CSS-in-JS, right?"
|
| But seriously, those selectors are making me cringe. Does
| it even work with the spaces? $('[id="Fish
| & Chips"]') $('[class="Fish & Chips"]')
| throwaway4233 wrote:
| with attribute selectors like what you have mentioned it
| would work. But `$('#Fish & Chips')` most certainly will
| not, since jQuery would throw a syntax error.
| lcnPylGDnU4H9OF wrote:
| It makes sense to throw a syntax error but I wasn't sure
| what the actual behavior would be. Made me wonder if
| jquery did some magic to understand what is being
| queried.
| OkayPhysicist wrote:
| I don't think this site was the work of an LLM. I think it
| was the result of somebody who just learned frontend
| JavaScript trying to hack together a website and business,
| with next to no practical knowledge.
|
| There's all sorts of weird stuff, and it definitely looks
| like the kind of thing you'd see a beginner copy-pasting
| code and trying things out would create. The site sets a
| cookie containing the key-value pair "key":"value", for
| example.
| smelendez wrote:
| I think if I stumbled on this and the vendor was unresponsive I'd
| notify Stripe ASAP
| gdprrrr wrote:
| Can you disable an account if you have the secret key?
| sverhagen wrote:
| Honest question, is that still within the roam of _ethical_
| hacking?
| mmcclure wrote:
| I was going to say the same thing. There are some active Stripe
| folks on here, curious if this post itself will trigger
| anything internally there.
| dinom wrote:
| > Ya know the worst part? After explaining all this, my chips
| were cold. Oh, the humanity.
|
| The worst part for me is that the blog reads like a short story
| instead of a technical analysis. And, given that it's published
| via ghost.org, makes me think there's just a bunch of scams and
| meta-scams going on... one layered on top of the other.
| shortcake27 wrote:
| Tangential, but I wish companies like this didn't force people to
| provide so much PII in the first place.
|
| In Australia, I'm yet to use a QR menu that doesn't force me to
| provide my phone number. Why is my phone number necessary to
| order a bowl of chips? Ah, I see, Liven needs my phone number so
| they can sell it, according to their Privacy Policy. Mr Yum
| apparently doesn't sell it, but still forces me to provide it
| anyway.
| JohnFen wrote:
| > I'm yet to use a QR menu that doesn't force me to provide my
| phone number.
|
| That's insane.
|
| I never use the QR menus -- I always ask for a printed one --
| so I don't know if that's how it works around here, but I
| certainly hope not.
| Freedom2 wrote:
| I have a friend in the midwest who actually can't use QR
| codes - he gets electric shocks whenever his phone tries to
| scan one. Definitely weird!
| stouset wrote:
| Let me get this straight: your friend _continues to use_ an
| electronic device which routinely delivers electric shocks
| to them upon execution of arbitrary software instructions?
| antod wrote:
| It's now part of his workflow. The control button was
| hard to reach, so he configured emacs to interpret
| electric shocks as "control".
| cafeinux wrote:
| I definitely have read this reference, but I can't for
| the life of me remember where it came from or what was
| the actual bug report.
| wlesieutre wrote:
| https://xkcd.com/1172/
| Gordonjcp wrote:
| Maybe so that if you live in a house where the "street address"
| doesn't actually match the street you're on, because 1950s town
| planning conflicts with 1590s town planning, the delivery
| driver can phone you before your "Special Mixed Kebab" - a
| bulging 16" pizza box full of doner, kofta, shaslik, shawerma,
| fried chicken, burgers, pakora, four Naan breads and half a
| litre of hummus, for 25 quid - gets cold?
| topato wrote:
| OP is definitely referring to QR codes to view menus INSIDE
| of the restaurant. Obviously phone numbers for delivery has
| an actual use.
| [deleted]
| cafeinux wrote:
| This comment is absurd but I would like to order that please.
| noodlesUK wrote:
| That's quite different from my experience using QR menus, which
| at least here in the UK are often just a (rather pointless)
| link to the PDF menu that the restaurant already had. It's only
| in the case of medium sized chains that you get sent to some
| random website where you can order things.
| lcnPylGDnU4H9OF wrote:
| > link to the PDF menu
|
| And the especially responsible will print the (human-
| readable...) URL under the QR code.
| davchana wrote:
| I personally always print a human readable url in monospace
| font underneath every QR code I generate.
|
| A restaurant in California has menu available only at QR
| code, and QR code is printed in MS word with skewed
| dimensions (rectangle instead of a square).
| psychlops wrote:
| In the US, I've never used a QR menu. If they ask, I just tell
| them my phone is broken and won't work to scan the QR.
| lcnPylGDnU4H9OF wrote:
| A coworker often uses the phrase, "I don't do that."
|
| It's a very useful phrase in some circumstances and I have
| stolen it shamelessly.
| xur17 wrote:
| Had a similar thing with my ISP. Upgraded to a faster speed
| and they tried to slap a $100 "installation fee" on it.
| Just said "I don't pay installation fees", and it worked
| out better than I thought it would.
| Given_47 wrote:
| This is great I'm definitely gonna remember this. Epitome
| of the bugs bunny "no" meme
___________________________________________________________________
(page generated 2023-07-18 23:00 UTC)