Tangential, but I wish companies like this didn’t force people to provide so much PII in the first place.

In Australia, I’m yet to use a QR menu that doesn’t force me to provide my phone number. Why is my phone number necessary to order a bowl of chips? Ah, I see, Liven needs my phone number so they can sell it, according to their Privacy Policy. Mr Yum apparently doesn’t sell it, but still forces me to provide it anyway.

That’s quite different from my experience using QR menus, which at least here in the UK are often just a (rather pointless) link to the PDF menu that the restaurant already had. It’s only in the case of medium sized chains that you get sent to some random website where you can order things.

It's become impossible to get sit down food or a drink in a US airport without using (what seems to be the same) company's QR code online order and pay to your seat system. It seems to be the same system for every restaurant or bar.

Besides needing to provide unnecessary amounts of information, it also requires a well working internet connection to load their bloated website. Which is often spotty so... very frustrating.

Luckily QR menus are going out of style.

> link to the PDF menu

And the especially responsible will print the (human-readable...) URL under the QR code.

I personally always print a human readable url in monospace font underneath every QR code I generate.

A restaurant in California has menu available only at QR code, and QR code is printed in MS word with skewed dimensions (rectangle instead of a square).

Yeah that’s a good point. I’m actually in the UK at the moment and Wetherspoons is the only place where I’m ordering with my phone (also, the Wetherspoon app is a great example of mobile ordering done right - fast and no collection of PII).

Compared to Melbourne where half the pubs I visit tell me to order via the QR menu where I have to punch in my number and get an OTP before I can order anything.

There's both QR codes that are links to menus and QR codes that are links to interactive menus you can order directly from. Usually the latter will require some sort of sign up.

> I’m yet to use a QR menu that doesn’t force me to provide my phone number.

That's insane.

I never use the QR menus -- I always ask for a printed one -- so I don't know if that's how it works around here, but I certainly hope not.

I have a friend in the midwest who actually can't use QR codes - he gets electric shocks whenever his phone tries to scan one. Definitely weird!

Let me get this straight: your friend continues to use an electronic device which routinely delivers electric shocks to them upon execution of arbitrary software instructions?

It's now part of his workflow. The control button was hard to reach, so he configured emacs to interpret electric shocks as "control".

I definitely have read this reference, but I can't for the life of me remember where it came from or what was the actual bug report.

He had depression but now it's gone, so the treatment must be working.

> Why is my phone number necessary to order a bowl of chips?

Maybe as a backup for whatever unique device ID your phone gives them? The goal with QR menus right now is mostly conditioning people to accept them, but the long term goal is making it so that they can figure out who you are, what your income level is, what your eating habits are, what your order history has been, plus whatever else they feel like gathering and then using all that data to dynamically generate a menu with the highest possible prices they think they can wring out of you.

They want to make it so that when you order a bowl of chips they can charge you more than the person next to you who orders that same menu item without you ever being aware of that fact. They want to be able to adjust your prices with each visit to algorithmically determine the maximum amount you'll pay for something.

I'd suggest staying away from QR menus and rejecting the idea that discriminatory pricing is acceptable.

Jesus, is this really a thing?

What about a group of people with different wealth profiles sitting at the same table? Would John who orders a steak and drives a Mercedes be charged $85 while Amy who drives a Honda Civic pay only $65 for that same steak?

> Jesus, is this really a thing?

Plane tickets are going into that direction, though no direct differentiation between people for now.

But routes/connections/timings indicating for example business travel will induce higher price than the same seat sold as part of flight indicating client more influenced by cost of flight.

And price differs between various places even in case buying the same seat for the same flight. For example you can effectively pay to skip deliberately annoying parts.

Yes. See for example https://link.springer.com/article/10.1057/s41272-019-00224-3

many stores (including grocery stores) have already been testing it out.

The biggest hurdle they face is the fact that most people (if aware that it's happening at all) find it offensive, which it is. Even those store loyalty cards are conditioning us to accept the idea that certain people get, or even deserve to get, different prices because of who or what they are. Prices should be transparent and it shouldn't matter how much money you have, or who you know, or how "loyal" you are (what a sick concept!) to a grocery store.

In the US, I've never used a QR menu. If they ask, I just tell them my phone is broken and won't work to scan the QR.

A coworker often uses the phrase, "I don't do that."

It's a very useful phrase in some circumstances and I have stolen it shamelessly.

Had a similar thing with my ISP. Upgraded to a faster speed and they tried to slap a $100 "installation fee" on it. Just said "I don't pay installation fees", and it worked out better than I thought it would.

"You will! And the company that will bring it to you... is AT&T!" https://en.wikipedia.org/wiki/You_Will

This is great I’m definitely gonna remember this. Epitome of the bugs bunny “no” meme

Honest question, why would anyone ever use a QR menu ?

It seems like a more complicated process in every way.

I actually like the concept when executed properly.

If I’m eating out at a bar by myself, it means I don’t have to lose my table to get up and order. I also have social anxiety, if the bar is packed it’s a real problem for me. I’ll usually end up hovering while everyone else takes advantage and pushes in front of me.

The Wetherspoons app in the UK is a great example. Easy and fast to use, requires no account/PII just pay with Apple Pay.

Fair. I think if this was the case for me I would go to a bar that has waiters or just get a take out.

They got big during COVID days for being more "touchless"

I guess "because someone told them to" is the answer I'm looking for.

Maybe so that if you live in a house where the "street address" doesn't actually match the street you're on, because 1950s town planning conflicts with 1590s town planning, the delivery driver can phone you before your "Special Mixed Kebab" - a bulging 16" pizza box full of doner, kofta, shaslik, shawerma, fried chicken, burgers, pakora, four Naan breads and half a litre of hummus, for 25 quid - gets cold?

OP is definitely referring to QR codes to view menus INSIDE of the restaurant. Obviously phone numbers for delivery has an actual use.

> Obviously phone numbers for delivery has an actual use.

You would think that, wouldn't you?

I routinely see my real number printed on store receipts when the store has no reason to have them. GrubHub is supposed to anonymize numbers; the drivers always come through on a particular area code that I can recognize.

I've had drivers call me when lost, and it's always lost within my apartment complex (even though I've given really specific notes for every step of the way). I just explain it the same way I did in the notes, but they sometimes have a really poor sense of direction.

I've had a couple drivers call me because they refused to leave their car or come to the doorstep to put the food where they're supposed to. In fact, one of them sent me a photo of the Dumpster where I guess he tossed my meal.

Also, driver numbers are disclosed to the customer so that we can contact them. Drivers never answer their phones nor reply to texts. Their voice mail box is always full. If your order disappeared then the driver won't be answerable for that.

This comment is absurd but I would like to order that please.

Now I'm hungry

There's a bunch of PII, but another issue is a hacker could: refund every payment, start billing random cards, or move money out of their account (this is probably a little more difficult, but they could certainly pay out to the businesses).

Perhaps what they are used more is to start testing cards (we've had this attack happen to our production site on stripe's checkout.js... it'd be much easier if the attackers had our secret key)!

Additionally... if their site is this trivially insecure it won't end here.

Possibly. Stripe supports limited scope API keys called "restricted" that aren't allowed to eg refund payments, though they're not the default. I have no idea how many people are actually using them.

https://stripe.com/docs/keys

I didn't know that, thanks, we should probably be using those...

Unsurprisingly, this company isn't as (in screenshot) their key starts with sk_live_.

I think if I stumbled on this and the vendor was unresponsive I’d notify Stripe ASAP

I was going to say the same thing. There are some active Stripe folks on here, curious if this post itself will trigger anything internally there.

And Stripe can shut it down then respond with "we can only discuss this with a Director of the company. Let us know when you have one and are legally able to be in business."

Can you disable an account if you have the secret key?

Honest question, is that still within the roam of ethical hacking?

I’d argue that it’s ethically the right decision — particularly when the SaaS provider seem to be burying their head in the sand. Legally on the other hand?

In Stripe's case, I've been very happy with how responsive their support is (even my Suggestion Box submissions get personal replies) - I'd expect Stripe to suspend that account within a couple of hours, regardless of the time-of-day.

But if it was, say, Authorize.net (I can't be the only one?) I'd probably take direct-action (via an anonymous proxy, of course - legacy companies just can't stop themselves shooting the messenger first...)

(Disclaimer: I haven't had to deal with Authorize.net since 2016 - can anyone say if things improved since then?)

That's shocking and a shame because the platform itself is a good idea and I'd much prefer to order directly from a restaurant than have up to 30% of my order value go to rent seekers like JustEat, Deliveroo or Uber Eats.

This is an excellent example of why free might ultimately be a bad price point for consumers as well

Wow, just wow. I can't wonder how common such securing coding slip ups are these days.

This isn't a 'coding slip up.' The original issue, as egregious and terrible as it is, could have been a a mistake. However, whoever implemented 'the fix' is someone acting acting with unforgivable malice and deceit.

Anyway its on HN now. FAFO

This doesn't strike me as a slip-up, it strikes me as complete apathy on behalf of the developer(s).

On inspecting the page where they list restaurants, I can see a several versions of jQuery code like this, for each cuisine.

$('#Fish & Chips').on('change', function () {

  if ($('#Fish & Chips').is(':checked')) {

    $('.Fish & Chips').css('background-color', '#3a606e;');

    $('.Fish & Chips').css('color', '#fff;');

  } else {

    $('.Fish & Chips').css('background-color', '#fff');

    $('.Fish & Chips').css('color', '#3a606e;');

 }

});

I have a good feeling this is more of copy-pasta code from either Copilot or ChatGPT or StackOverflow. That also explains why they handled encryption the way described in the article.

Dev: "Hey LLM, how do I pass data around in a secure way ?"

Bot: "You can encrypt the data before you send it, so that only users who have the relevant keys can read them"

Dev: "Hey LLM, it is not possible to access the data I have encrypted on the frontend"

Bot: "Here is the javascript code to decrypt the data you have passed then"

I don't think this site was the work of an LLM. I think it was the result of somebody who just learned frontend JavaScript trying to hack together a website and business, with next to no practical knowledge.

There's all sorts of weird stuff, and it definitely looks like the kind of thing you'd see a beginner copy-pasting code and trying things out would create. The site sets a cookie containing the key-value pair "key":"value", for example.

> key-value pair "key":"value"

This reminds me of when I first started programming professionally. I’d write loops in PHP like

  foreach($orders_by_id as $key => $value) {
    $id = $key;
    $order = $value;
    # ...
  }

This was at a small logistics company you’ve never heard of (read: not the best development practices) so the habit was eventually caught in a code review and corrected. I must have written a dozen or so of those prior to that.

This kind of code is very common among folks who learned JS using jQuery ten years ago and never tried to learn anything else since that time.

"This is what you mean by CSS-in-JS, right?"

But seriously, those selectors are making me cringe. Does it even work with the spaces?

  $('[id="Fish & Chips"]')
  $('[class="Fish & Chips"]')

with attribute selectors like what you have mentioned it would work. But `$('#Fish & Chips')` most certainly will not, since jQuery would throw a syntax error.

It makes sense to throw a syntax error but I wasn't sure what the actual behavior would be. Made me wonder if jquery did some magic to understand what is being queried.

jQuery first came-out long before browsers had querySelector: it used a 100% JS reimplementation of a CSS selector parser and evaluator, which was eventually spun-off into its own library: Sizzle.js: https://github.com/jquery/sizzle - Surprisingly, jQuery didn't fully remove Sizzle until 2019 ( https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ ) - if that seems surprisingly recent, don't forget that querySelector wasn't added to the DOM API until 2013 - with only IE11 supporting it: some places were still using even IE6 well past then, so it makes sense for jQuery to support it for so long.

So using newer CSS selector features, like attribute value selectors, will work fine in post-Sizzle jQuery versions.

Assuming this is human-written, it only makes sense to me as something cooked up by someone who understands a bit of JS but sincerely has no clue how browsers work. A smart and ambitious, if somewhat incurious, junior engineer at work.

This is not a slip up-it’s basically malpractice.

Is it really malpractice if there are zero education requirements, going as far as purposely not calling it software engineering since there is zero standards for the 'engineering' being done.

Perhaps not, but negligence and malpractice are different. Average joe can be negligent and legally liable (driving for example).

No idea what the legal precedent for negligent software engineering would be…

You can be negligent because there are rules of the road you sign up for, and get a license for. But if it's just a job you take with zero qualifications required, how can you be liable? The company, maybe. The programmer? Aren't called code monkeys for nothing.

Oh, I see what you’re saying. I agree. Although even with driving, an unlicensed driver would still be liable.

I suppose it depends what you consider agreement to social rules and how you define liability. I can certainly be held liable for damages for my actions to others which do not require me to hold any license - merely break the law.

Did I agree to the “rules of the road” when I was born? Do I consent by not emigrating?

(nits, picked…)

Use of payment networks and keys are protected by contractual agreements that have quite a lot to do with liability.

This reminds me of a contract I did. End users had complained that they were getting more spam after signing up for an account. I thought it must be a coincidence.

I jump into the firebase console and look at the security rules.

  allow read, write: if true;

Turns out that the whole customer database was wide open. After fixing it up, I tried to work out how things had ended up like this. The entire system had been written by an intern...

The first rule of programming is make it work.

The last rule of programming is make it secure.

At least this appears to be the case from observation.

Interesting to see that Companies House struck off the company – just yesterday.

https://find-and-update.company-information.service.gov.uk/c...

Also interesting that there are three directors linked with the associated companies, all named Jamal Ahmed: one born September 1978, another born March 1978, and a third born September 1999.

Companies house is a goldmine of information.

I usually check out anyone we hire on Companies House. On numerous occasions we've found people with at least 3 slightly different names or dates of birth that work for the same pile of dissolved companies. Sometimes you can Google the different names or look on LinkedIn and see they are exactly the same person.

Instant strike-off.

It's not deliberate for them doing this.

But the real problem here is that the data they collect isn't seen as a liability. If anything, it's an asset. This externality means that forfeiting people's personal info costs them nothing or nearly nothing.

An almost certainly illegal but effective way to stop thus site is to query the API in such a way that the key or account would be suspended.

If they change the tokens, rinse and repeat until you can't find them anymore.

This is illegal don't do this.

Why does ghost.org seem like a scam?