Why do the owners of a vulnerable platform persistently refuse to fix the error found?
The Cybernews research team discovered a data leak of customers using popular Turkish food delivery services. The incident is related to the company Paketle Lojistik Hizmetleri, which is engaged in routing orders through the Kafka-based platform, without providing the proper level of security.
The aforementioned platform provides an extensive list of customer personal data, such as names, home addresses, phone numbers, email, order details, IP addresses, and authentication tokens. This information is available to everyone who connects to the system, without any authentication.
"Every time a new order arrives, any outsider can find out sensitive information about any customer," the researchers told Cybernews. "At the moment, the system is a fountain that sprinkles personal data."
The researchers were able to find orders placed through the following Turkish food delivery apps:
Cybernews specialists reported their discovery to representatives of Paketle Lojistik Hizmetleri, as well as to the Turkish authorities, including the local computer incident response team. Despite eight emails sent between January 25 and March 4, 2024, the company did not take any measures to fix the vulnerability. At the time of publication, access to vulnerable Kafka instances remained open.
The platform stores data about orders for the last ten days, and new ones are added literally every minute. During the year, attackers were able to gain access to more than 3 million unique orders.
This leak poses a serious threat to the security of Turkish customers. Attackers can use this data to reveal the location, steal orders, fake couriers, phishing attacks, and other cybercrimes. Restaurants integrated into the Paketle system may also suffer, as they may be subject to falsification of orders and chaos in their work.
Cybernews researchers emphasize the need to urgently fix the vulnerability. Platform holders are encouraged to implement an authentication system, configure IP address whitelists, apply SSL/TLS encryption, and use monitoring mechanisms to detect and respond to suspicious activity.
The Cybernews research team discovered a data leak of customers using popular Turkish food delivery services. The incident is related to the company Paketle Lojistik Hizmetleri, which is engaged in routing orders through the Kafka-based platform, without providing the proper level of security.
The aforementioned platform provides an extensive list of customer personal data, such as names, home addresses, phone numbers, email, order details, IP addresses, and authentication tokens. This information is available to everyone who connects to the system, without any authentication.
"Every time a new order arrives, any outsider can find out sensitive information about any customer," the researchers told Cybernews. "At the moment, the system is a fountain that sprinkles personal data."
The researchers were able to find orders placed through the following Turkish food delivery apps:
- Getir: 4.8 million site visits per month, more than 10 million downloads on Google Play;
- Yemek Sepeti: 4.8 million site visits per month, more than 10 million downloads on Google Play;
- Migros: 184 thousand site visits per month, more than 10 million downloads on Google Play;
- Trendyol: 27 thousand site visits per month, more than 1 million downloads on Google Play.
Cybernews specialists reported their discovery to representatives of Paketle Lojistik Hizmetleri, as well as to the Turkish authorities, including the local computer incident response team. Despite eight emails sent between January 25 and March 4, 2024, the company did not take any measures to fix the vulnerability. At the time of publication, access to vulnerable Kafka instances remained open.
The platform stores data about orders for the last ten days, and new ones are added literally every minute. During the year, attackers were able to gain access to more than 3 million unique orders.
This leak poses a serious threat to the security of Turkish customers. Attackers can use this data to reveal the location, steal orders, fake couriers, phishing attacks, and other cybercrimes. Restaurants integrated into the Paketle system may also suffer, as they may be subject to falsification of orders and chaos in their work.
Cybernews researchers emphasize the need to urgently fix the vulnerability. Platform holders are encouraged to implement an authentication system, configure IP address whitelists, apply SSL/TLS encryption, and use monitoring mechanisms to detect and respond to suspicious activity.
