| Título | Consumer Comanda Mobile 14.7.1.4 – 15.0.0.8 Improper Authorization |
|---|
| Descrição | Comanda Mobile, a restaurant management application developed by VR Software, contains a critical vulnerability that allows unauthenticated users to access and manipulate restaurant orders (commandas) without proper authorization. The mobile application fails to enforce authentication and access control at the backend level, allowing attackers on the same network to forge HTTP requests and interact with other users' orders (e.g., altering items, generating bills, or deleting entries) without permission.
The issue persists across several versions, from x.x.x.x to x.x.x.x and even the new version x.x.x.x, indicating a long-standing design flaw.
Impact:
1. Unauthorized access to sensitive customer data
2. Tampering with or deleting orders
3. Financial loss for the business (Eat for Free)
4. Potential legal issues due to non-compliance (e.g., GDPR / LGPD)
Exploitation:
Access to the same network (e.g., Wi-Fi used by restaurant staff or customers)
Reported to vendor in September 2024. No response or patch provided as of April 2025. |
|---|
| Fonte | ⚠️ https://medium.com/@davimouar/from-order-to-exploit-a-deep-dive-into-restaurant-network-security-64aeaf3a6f64 |
|---|
| Utilizador | davimo (UID 79678) |
|---|
| Submissão | 05/04/2025 04h38 (há 1 Ano) |
|---|
| Moderação | 06/04/2025 14h23 (1 day later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 303543 [Consumer Comanda Mobile até 14.9.3.2/15.0.0.8 Restaurant Order Login/Password Encriptação fraca] |
|---|
| Pontos | 20 |
|---|