| 제목 | Consumer Comanda Mobile 14.7.1.4 – 15.0.0.8 Improper Authorization |
|---|
| 설명 | Comanda Mobile, a restaurant management application developed by VR Software, contains a critical vulnerability that allows unauthenticated users to access and manipulate restaurant orders (commandas) without proper authorization. The mobile application fails to enforce authentication and access control at the backend level, allowing attackers on the same network to forge HTTP requests and interact with other users' orders (e.g., altering items, generating bills, or deleting entries) without permission.
The issue persists across several versions, from x.x.x.x to x.x.x.x and even the new version x.x.x.x, indicating a long-standing design flaw.
Impact:
1. Unauthorized access to sensitive customer data
2. Tampering with or deleting orders
3. Financial loss for the business (Eat for Free)
4. Potential legal issues due to non-compliance (e.g., GDPR / LGPD)
Exploitation:
Access to the same network (e.g., Wi-Fi used by restaurant staff or customers)
Reported to vendor in September 2024. No response or patch provided as of April 2025. |
|---|
| 원천 | ⚠️ https://medium.com/@davimouar/from-order-to-exploit-a-deep-dive-into-restaurant-network-security-64aeaf3a6f64 |
|---|
| 사용자 | davimo (UID 79678) |
|---|
| 제출 | 2025. 04. 05. AM 04:38 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 04. 06. PM 02:23 (1 day later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 303543 [Consumer Comanda Mobile 까지 14.9.3.2/15.0.0.8 Restaurant Order Login/Password 약한 암호화] |
|---|
| 포인트들 | 20 |
|---|