Reminder to self: re-check the Dotpe API Security Breach — bool.dev
Posted by jpluimers on 2025/03/04
Still public merchant information
It looks like some store and merchang APIs were not protected back when [Wayback/Archive] Dotpe API Security Breach — bool.dev was published.
Reminder to self: check their status now as I can’t believe their “human error” got fixed properly.
History (reverse chronological order):
- [Wayback/Archive] How DotPe’s ‘Human Error’ Exposed Confidential Customer API Data
- [Wayback/Archive] Deedy on X: “Today, Google-backed DotPe locked down their APIs by rate-limiting by IP on /external/merchant and blocking others. They sent a legal notice to the author before fixing it and haven’t publicly acknowledged the issue at all. Companies must be held accountable for poor security.…”
[Wayback/Archive] Tweet JSON: [Wayback/Archive] GYSlTthakAEoojp.png:orig (2346×1838)
-
Now protected private API
[Wayback/Archive] Deedy on X: “6 hours later, the API is still very much public! …”
[Wayback/Archive] Tweet JSON: [Wayback/Archive] GYK38dXbkAEEEs_.jpg:orig (1358×1798)
- [Wayback/Archive] pea bee on X: “Sorry guys – have taken the post down due to a legal notice from Dotpe. I could fight them because I didn’t access anything that wasn’t already public. But it’s not worth the hassle. The legal process in this country is in itself a punishment. 🙏”
- [Wayback/Archive] Deedy on X: “Indian startup Dotpe, that raised ~$100M to build point of sale systems for restaurants left their entire API fully public. A clever hacker found out the most ordered thing at every Social in India. And did a prank to order what he wanted for a person next to him! Zero auth. …”
[Wayback/Archive] Deedy on X: “Indian startup Dotpe, that raised ~$100M to build point of sale systems for restaurants left their entire API fully public. A clever hacker found out the most ordered thing at every Social in India. And did a prank to order what he wanted for a person next to him! Zero auth. …”
[Wayback/Archive] Tweet JSON 
[Wayback/Archive] GYJf7u4bUAEatHp.jpg:orig (1179×1711) [Wayback/Archive] GYJf7u1a4AAMawP.jpg:orig (1179×1936) Rest of the thread at [Wayback/Archive] Thread by @deedydas on Thread Reader App – Thread Reader App
[WaybackSave/Archive] pea bee on X: “Only wrote about open APIs that anyone scanning their QR codes can view. Sales numbers were literally calculated from looking at their public menu webpage API calls. I didn’t access any backend APIs or internal documents.”
- [Wayback/Archive] Deedy on X: “Indian startup Dotpe, that raised ~$100M to build point of sale systems for restaurants left their entire API fully public. A clever hacker found out the most ordered thing at every Social in India. And did a prank to order what he wanted for a person next to him! Zero auth. …”
- [Wayback/Archive] What’s inside the QR code menu at this cafe? – by peabee (now returns a HTTP 404, but the archives are OK)
Related:
- [Wayback/Archive] DotPe – Crunchbase Company Profile & Funding
- [Wayback/Archive] Google-backed Dotpe adds 55,000 merchants across country in past 20 days | Company – Start-ups – News – Business Standard
Queries:
--jeroen
PS
Back when scheduling this, these APIs were still not protected (I did not test rate-limiting):
- [Wayback/Archive] api.dotpe.in/api/merchant/external/merchant/info?referer=social&select=configs&select=stores&cacheIgnore=false&select=images&serviceSubtype=fine
- [Wayback/Archive] api.dotpe.in/api/merchant/external/store/86?serviceSubtype=fine
The Wiert Corner - irregular stream of stuff 
Leave a comment