Is there a reason you're not naming them? You disclosed it responsibly, and presumably they have now fixed it. I don't understand the rationale for _not_ naming them.
No particular reason - I hadn't decided if I wanted to name and shame them directly (though if you really wanted to find out, there aren't that many food delivery startups in NYC...), and in the absence of intent to name and shame, my default inclination is to not.
The issue was reported a while back, and after convincing them that, no, HTTP auth is a terrible idea, they did switch to HTTPS. This is not an open vulnerability.
Hint: tcas seems to be referring to the same company.
For all we know, he disclosed it 4 days ago. Merely disclosing a vuln doesn't mean an appropriate amount of time has passed where it could be patched. Remember, real users' info is at stake.
Fair point. I got the impression it had been fixed, but that may have been wrong. Hopefully, once it is fixed, they will be named, otherwise I don't see how things can ever get better.
