| タイトル | Consumer Comanda Mobile 14.7.1.4 – 15.0.0.8 Improper Authorization |
|---|
| 説明 | Comanda Mobile, a restaurant management application developed by VR Software, contains a critical vulnerability that allows unauthenticated users to access and manipulate restaurant orders (commandas) without proper authorization. The mobile application fails to enforce authentication and access control at the backend level, allowing attackers on the same network to forge HTTP requests and interact with other users' orders (e.g., altering items, generating bills, or deleting entries) without permission.
The issue persists across several versions, from x.x.x.x to x.x.x.x and even the new version x.x.x.x, indicating a long-standing design flaw.
Impact:
1. Unauthorized access to sensitive customer data
2. Tampering with or deleting orders
3. Financial loss for the business (Eat for Free)
4. Potential legal issues due to non-compliance (e.g., GDPR / LGPD)
Exploitation:
Access to the same network (e.g., Wi-Fi used by restaurant staff or customers)
Reported to vendor in September 2024. No response or patch provided as of April 2025. |
|---|
| ソース | ⚠️ https://medium.com/@davimouar/from-order-to-exploit-a-deep-dive-into-restaurant-network-security-64aeaf3a6f64 |
|---|
| ユーザー | davimo (UID 79678) |
|---|
| 送信 | 2025年04月05日 04:38 (1 年 ago) |
|---|
| モデレーション | 2025年04月06日 14:23 (1 day later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 303543 [Consumer Comanda Mobile 迄 14.9.3.2/15.0.0.8 Restaurant Order Login/Password 弱い暗号化] |
|---|
| ポイント | 20 |
|---|