What’s inside the QR code menu at this cafe? – by peabee
Posted by jpluimers on 2024/09/27
This is why I do not trust ordering via QR-code: you never know how good (or usually bad, often even non-existent) their security is.
[Wayback/Archive] What’s inside the QR code menu at this cafe? – by peabee is a really bad example about Google backed DotPe: they have zero-auth and by now have rated limited API access by IP address.
…
I went to a cafe near my home. I sat down and scanned the QR code on the table. It took me to a website displaying the cafe’s menu. It asked me for my name and Whatsapp mobile number. I entered the details and placed the order.
In 5 mins my order arrived at the table. There was no OTP verification, and no one came to confirm the order. Is this what the peak ordering experience looks like?
It was a slow workday, and I thought I might as well open this QR code website on my laptop and have a quick look under the hood. Maybe I should’ve just made my own coffee and stayed home because I didn’t realize I was opening a can of worms.
…
This kind of zero-auth is not infrequent: the Panels API and CDN were wide-open too: [Wayback/Archive] https://storage.googleapis.com/panels-api/data/20240916/media-1a-i-p~s
The Panels app was by Marques Brownlee (@MKBHD): [Wayback/Archive] Marques Brownlee on X: “Golden rule #1 of the internet: Never try to charge for something that was already free.”
This Panels app leak was found by [Wayback/Archive] Thread by @uwukko on Thread Reader App – … that’s literally it, search for “dhd” to get full resolution files …
Panels App via
- [Wayback/Archive] AppleLeaker on X: “Bro repackaged an old wallpaper app that launched in 2021, slapped his name on it and called it a day. He’s now taking a 50% commission on wallpaper sales from artists, uses personal identifiers to track users for ads, and sells a $50/year subscription. This is a blatant cash”
[Wayback/Archive] GYNTqMHa8AAJc5G.jpg (1125×824) / [Wayback/Archive] Tweet JSON
- [Wayback/Archive] AJ Stuyvenberg on X: “🤦Every single wallpaper is sitting in a public bucket”
[Wayback/Archive] GYScRLoWMAA91n9.jpg (1120×1082) [Wayback/Archive] GYScokMWgAAufLd.jpg (1200×1062) - [Wayback/Archive] Thread by @uwukko on Thread Reader App – the panels app is very poorly made and all payments are verified on client side links to all wallpapers (hd/sd) are preloaded right after the app is launched, all you need are basic mitm skills to get them for free. the file with links isn’t authenticated or protected *at all*
[Wayback/Archive] Marques Brownlee on X: “And now – I’m so pumped to be launching this app! …”
[Wayback/Archive] Post with notes / X
Additional context (w/o piracy):
The app doesn’t properly protect artists from piracy.
The app tries to access your search history, purchases, contact info, & location.
It’s $50/year for the original wallpapers.
Artists only get half.
Some wallpapers are undisclosed AI.
https://x.com/LeakerApple/status/1838405155487912302
https://apps.apple.com/us/app/panels-wallpapers/id6474455074 - [Wayback/Archive] Thread by @uwukko on Thread Reader App – that’s literally it, search for “dhd” to get full resolution files …
thanks to @xyz3va for confirming that subscription info is indeed not stored on their firebase at all 😭
storage.googleapis.com/panels-api/dat…[Wayback/Archive] @xyz3va the link was obtained with no purchases and without agreeing to terms of use, just for clarification
- [Wayback/Archive] Thread by @uwukko on Thread Reader App – the panels app is very poorly made and all payments are verified on client side links to all wallpapers (hd/sd) are preloaded right after the app is launched, all you need are basic mitm skills to get them for free. the file with links isn’t authenticated or protected *at all*
Related:
- [Wayback/Archive] MKBHD (Un-Official)
- [Wayback/Archive] storage.googleapis.com/panels-api/data/20240916/media-1a-i-p~s
- [Wayback/Archive] Luke Johnstone on X: “@iambepin @uwukko @trshpuppy @xyz3va I followed this at some point: …”
[Wayback/Archive] Data Scraping Android Apps. Analyzing App Network Traffic with apk-mitm and mitmproxy… | by Roger Pharr | Towards Data Science
- [Wayback/Archive] grim on X: “@Zorvyyy @uwukko @trshpuppy @xyz3va
youtube.com/watch?v=xQGC-8ojYbU&t=167s… you can set it up in 5 minutes 💯”
[Wayback/Archive] Reverse Engineering a Private API with mitmproxy – YouTube (at 01:47)
and various people that have written scripts to download or downloaded the imagery:
- [Wayback/Archive] Eric B on X: “@uwukko @xyz3va curl -s $URL | jq -r ‘.data[] | select(has(“dhd”)) | .dhd’ | while read -r url; do # Extract the base filename by removing the query string filename=$(basename “${url%%\?*}”) # Download the file with the sanitized filename curl -s -o “$filename” “$url” done” which uses jq (see related blog post below):
curl -s $URL | jq -r '.data[] | select(has("dhd")) | .dhd' | while read -r url; do
# Extract the base filename by removing the query string
filename=$(basename "${url%%\?*}")
# Download the file with the sanitized filename
curl -s -o "$filename" "$url"
done - [Wayback/Archive] self hate account on X: “@Bk1326 @uwukko @xyz3va here you go
privatebin.net/?d4cb27c084f92091#JBoaijBw46BYiCaP7YgGPQbSP7NPaPDeKFLvaYZsETte…just put them in IDM or something like that”
- [Wayback/Archive] k on X: “@NakanoRoku @onlyifisaythis @uwukko @xyz3va
gofile.io/d/WVqg7XHere you go”
- [Wayback/Archive] Alvish Ramani on X: “@uwukko @xyz3va
github.com/nadimkobeissi/mkbsd…Here’s the script to download all of them at once”
[Wayback/Archive] GitHub – nadimkobeissi/mkbsd: Download all the wallpapers in MKBHD’s “Panels” app
Running in Node.js
- Ensure you have Node.js installed.
- Run
node mkbsd.js - Wait a little.
- All wallpapers are now in a newly created
downloadssubfolder.
Running in Python
- Ensure you have Python installed.
- Ensure you have the
aiohttpPython package installed (pip install aiohttp). - Run
python mkbsd.py - Wait a little.
- All wallpapers are now in a newly created
downloadssubfolder.
- [Wayback/Archive] Daniel Doblado on X: “@uwukko @xyz3va For the lazy:
jsfiddle.net/hkb6pL20/I would personally not use any of these wallpapers, and 50$ a year feels insulting.”
- [Wayback/Archive] pia.sh 🇧🇩 🇦🇺 on X: “@uwukko @xyz3va And here is a simple script to download all the HD files – not that anyone asked 😅 …”
[Wayback/Archive] Download all HD wallpapers from MKBHD’s panels.art website · GitHub
- [Wayback/Archive] Y on X: “@_Octopus0 @nintendobenzo @uwukko @xyz3va Here you go. I wrote a NodeJS script, in like 5 minutes lol. 375 image files that had the key “dhd”, names kept as found. …”
[Wayback/Archive] mkbhd.7z – Google Drive -> [Wayback/Archive] Google Drive – Virus scan warning -> actual download.
- [Wayback/Archive] self hate account on X: “@Lunascaped @uwukko @xyz3va here is the HTML, you can save it as index.html and open in a browse to browse through the wallpapersr or upload it somewhere that can host a html file
privatebin.net/?35e75be47030ee5f#3amgR3qBuiSEWDTpNfLgKwok7oewnr9QHWFsifMPmR51…”
- [Wayback/Archive] Hyperbolical on X: “@uwukko @xyz3va Terrible wallpapers, still had a laugh doing this:
wallpapers.pablohuet.comNot even worth it for serving the files, is just a parsing site of that json with not even pagination”
Related blog post: Bash that JSON (with jq) — Librato Blog
--jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment