Security researcher Ashoka_Rao discovered a logic flaw in the ownership verification workflow of restaurant directory and food delivery service Zomato.
The flaw allowed him to send a confirmation SMS to his own phone and claim any unclaimed restaurant on the platform, including those that were not open for delivery; he was then able to edit the restaurant’s details, including its name, location, menu and opening hours.
Zomato fixed the issue and awarded Rao €2,500 ($2,830) as part of its bug bounty programme.
Researchers commonly target food delivery apps for vulnerability testing.
Last year, a similar flaw was discovered in Grubhub’s system, allowing attackers to hijack the profiles of more than 50,000 restaurants.
And in 2020, a vulnerability in DoorDash allowed hackers to delete user reviews.