Tangential, but I wish companies like this didn’t force people to provide so much PII in the first place.
In Australia, I’m yet to use a QR menu that doesn’t force me to provide my phone number. Why is my phone number necessary to order a bowl of chips? Ah, I see, Liven needs my phone number so they can sell it, according to their Privacy Policy. Mr Yum apparently doesn’t sell it, but still forces me to provide it anyway.
That’s quite different from my experience using QR menus, which at least here in the UK are often just a (rather pointless) link to the PDF menu that the restaurant already had. It’s only in the case of medium sized chains that you get sent to some random website where you can order things.
It's become impossible to get sit down food or a drink in a US airport without using (what seems to be the same) company's QR code online order and pay to your seat system. It seems to be the same system for every restaurant or bar.
Besides needing to provide unnecessary amounts of information, it also requires a well working internet connection to load their bloated website. Which is often spotty so... very frustrating.
I personally always print a human readable url in monospace font underneath every QR code I generate.
A restaurant in California has menu available only at QR code, and QR code is printed in MS word with skewed dimensions (rectangle instead of a square).
Yeah that’s a good point. I’m actually in the UK at the moment and Wetherspoons is the only place where I’m ordering with my phone (also, the Wetherspoon app is a great example of mobile ordering done right - fast and no collection of PII).
Compared to Melbourne where half the pubs I visit tell me to order via the QR menu where I have to punch in my number and get an OTP before I can order anything.
There's both QR codes that are links to menus and QR codes that are links to interactive menus you can order directly from. Usually the latter will require some sort of sign up.
Let me get this straight: your friend continues to use an electronic device which routinely delivers electric shocks to them upon execution of arbitrary software instructions?
> Why is my phone number necessary to order a bowl of chips?
Maybe as a backup for whatever unique device ID your phone gives them? The goal with QR menus right now is mostly conditioning people to accept them, but the long term goal is making it so that they can figure out who you are, what your income level is, what your eating habits are, what your order history has been, plus whatever else they feel like gathering and then using all that data to dynamically generate a menu with the highest possible prices they think they can wring out of you.
They want to make it so that when you order a bowl of chips they can charge you more than the person next to you who orders that same menu item without you ever being aware of that fact. They want to be able to adjust your prices with each visit to algorithmically determine the maximum amount you'll pay for something.
I'd suggest staying away from QR menus and rejecting the idea that discriminatory pricing is acceptable.
What about a group of people with different wealth profiles sitting at the same table? Would John who orders a steak and drives a Mercedes be charged $85 while Amy who drives a Honda Civic pay only $65 for that same steak?
Plane tickets are going into that direction, though no direct differentiation between people for now.
But routes/connections/timings indicating for example business travel will induce higher price than the same seat sold as part of flight indicating client more influenced by cost of flight.
And price differs between various places even in case buying the same seat for the same flight. For example you can effectively pay to skip deliberately annoying parts.
many stores (including grocery stores) have already been testing it out.
The biggest hurdle they face is the fact that most people (if aware that it's happening at all) find it offensive, which it is. Even those store loyalty cards are conditioning us to accept the idea that certain people get, or even deserve to get, different prices because of who or what they are. Prices should be transparent and it shouldn't matter how much money you have, or who you know, or how "loyal" you are (what a sick concept!) to a grocery store.
Had a similar thing with my ISP. Upgraded to a faster speed and they tried to slap a $100 "installation fee" on it. Just said "I don't pay installation fees", and it worked out better than I thought it would.
I actually like the concept when executed properly.
If I’m eating out at a bar by myself, it means I don’t have to lose my table to get up and order. I also have social anxiety, if the bar is packed it’s a real problem for me. I’ll usually end up hovering while everyone else takes advantage and pushes in front of me.
The Wetherspoons app in the UK is a great example. Easy and fast to use, requires no account/PII just pay with Apple Pay.
Maybe so that if you live in a house where the "street address" doesn't actually match the street you're on, because 1950s town planning conflicts with 1590s town planning, the delivery driver can phone you before your "Special Mixed Kebab" - a bulging 16" pizza box full of doner, kofta, shaslik, shawerma, fried chicken, burgers, pakora, four Naan breads and half a litre of hummus, for 25 quid - gets cold?
> Obviously phone numbers for delivery has an actual use.
You would think that, wouldn't you?
I routinely see my real number printed on store receipts when the store has no reason to have them. GrubHub is supposed to anonymize numbers; the drivers always come through on a particular area code that I can recognize.
I've had drivers call me when lost, and it's always lost within my apartment complex (even though I've given really specific notes for every step of the way). I just explain it the same way I did in the notes, but they sometimes have a really poor sense of direction.
I've had a couple drivers call me because they refused to leave their car or come to the doorstep to put the food where they're supposed to. In fact, one of them sent me a photo of the Dumpster where I guess he tossed my meal.
Also, driver numbers are disclosed to the customer so that we can contact them. Drivers never answer their phones nor reply to texts. Their voice mail box is always full. If your order disappeared then the driver won't be answerable for that.
There's a bunch of PII, but another issue is a hacker could: refund every payment, start billing random cards, or move money out of their account (this is probably a little more difficult, but they could certainly pay out to the businesses).
Perhaps what they are used more is to start testing cards (we've had this attack happen to our production site on stripe's checkout.js... it'd be much easier if the attackers had our secret key)!
Additionally... if their site is this trivially insecure it won't end here.
Possibly. Stripe supports limited scope API keys called "restricted" that aren't allowed to eg refund payments, though they're not the default. I have no idea how many people are actually using them.
And Stripe can shut it down then respond with "we can only discuss this with a Director of the company. Let us know when you have one and are legally able to be in business."
I’d argue that it’s ethically the right decision — particularly when the SaaS provider seem to be burying their head in the sand. Legally on the other hand?
In Stripe's case, I've been very happy with how responsive their support is (even my Suggestion Box submissions get personal replies) - I'd expect Stripe to suspend that account within a couple of hours, regardless of the time-of-day.
But if it was, say, Authorize.net (I can't be the only one?) I'd probably take direct-action (via an anonymous proxy, of course - legacy companies just can't stop themselves shooting the messenger first...)
(Disclaimer: I haven't had to deal with Authorize.net since 2016 - can anyone say if things improved since then?)
That's shocking and a shame because the platform itself is a good idea and I'd much prefer to order directly from a restaurant than have up to 30% of my order value go to rent seekers like JustEat, Deliveroo or Uber Eats.
This isn't a 'coding slip up.' The original issue, as egregious and terrible as it is, could have been a a mistake. However, whoever implemented 'the fix' is someone acting acting with unforgivable malice and deceit.
I have a good feeling this is more of copy-pasta code from either Copilot or ChatGPT or StackOverflow. That also explains why they handled encryption the way described in the article.
Dev: "Hey LLM, how do I pass data around in a secure way ?"
Bot: "You can encrypt the data before you send it, so that only users who have the relevant keys can read them"
Dev: "Hey LLM, it is not possible to access the data I have encrypted on the frontend"
Bot: "Here is the javascript code to decrypt the data you have passed then"
I don't think this site was the work of an LLM. I think it was the result of somebody who just learned frontend JavaScript trying to hack together a website and business, with next to no practical knowledge.
There's all sorts of weird stuff, and it definitely looks like the kind of thing you'd see a beginner copy-pasting code and trying things out would create. The site sets a cookie containing the key-value pair "key":"value", for example.
This was at a small logistics company you’ve never heard of (read: not the best development practices) so the habit was eventually caught in a code review and corrected. I must have written a dozen or so of those prior to that.
with attribute selectors like what you have mentioned it would work. But `$('#Fish & Chips')` most certainly will not, since jQuery would throw a syntax error.
It makes sense to throw a syntax error but I wasn't sure what the actual behavior would be. Made me wonder if jquery did some magic to understand what is being queried.
jQuery first came-out long before browsers had querySelector: it used a 100% JS reimplementation of a CSS selector parser and evaluator, which was eventually spun-off into its own library: Sizzle.js: https://github.com/jquery/sizzle - Surprisingly, jQuery didn't fully remove Sizzle until 2019 ( https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ ) - if that seems surprisingly recent, don't forget that querySelector wasn't added to the DOM API until 2013 - with only IE11 supporting it: some places were still using even IE6 well past then, so it makes sense for jQuery to support it for so long.
So using newer CSS selector features, like attribute value selectors, will work fine in post-Sizzle jQuery versions.
Assuming this is human-written, it only makes sense to me as something cooked up by someone who understands a bit of JS but sincerely has no clue how browsers work. A smart and ambitious, if somewhat incurious, junior engineer at work.
Is it really malpractice if there are zero education requirements, going as far as purposely not calling it software engineering since there is zero standards for the 'engineering' being done.
You can be negligent because there are rules of the road you sign up for, and get a license for.
But if it's just a job you take with zero qualifications required, how can you be liable? The company, maybe. The programmer? Aren't called code monkeys for nothing.
Oh, I see what you’re saying. I agree. Although even with driving, an unlicensed driver would still be liable.
I suppose it depends what you consider agreement to social rules and how you define liability. I can certainly be held liable for damages for my actions to others which do not require me to hold any license - merely break the law.
Did I agree to the “rules of the road” when I was born? Do I consent by not emigrating?
This reminds me of a contract I did. End users had complained that they were getting more spam after signing up for an account. I thought it must be a coincidence.
I jump into the firebase console and look at the security rules.
allow read, write: if true;
Turns out that the whole customer database was wide open. After fixing it up, I tried to work out how things had ended up like this. The entire system had been written by an intern...
Also interesting that there are three directors linked with the associated companies, all named Jamal Ahmed: one born September 1978, another born March 1978, and a third born September 1999.
I usually check out anyone we hire on Companies House. On numerous occasions we've found people with at least 3 slightly different names or dates of birth that work for the same pile of dissolved companies. Sometimes you can Google the different names or look on LinkedIn and see they are exactly the same person.
But the real problem here is that the data they collect isn't seen as a liability. If anything, it's an asset. This externality means that forfeiting people's personal info costs them nothing or nearly nothing.
> Ya know the worst part? After explaining all this, my chips were cold. Oh, the humanity.
The worst part for me is that the blog reads like a short story instead of a technical analysis. And, given that it's published via ghost.org, makes me think there's just a bunch of scams and meta-scams going on... one layered on top of the other.
Alone it doesn't at all, but when you couple the tagline "Turn your audience into a business" along with the blog's more literary narrative style, the whole piece strikes me as entertainment meant for a particular cohort instead of a rigorous analysis.
In addition, the tone of the article seems overly condescending to me. I certainly don't want to minimize accountability and the severity of security holes, but in the real world where startups are trying to hastily bring products to market, they are often understaffed and there is a certain reality that can't be denied.
The author may have indeed found flagrant problems but, in even moderately complex systems, there are big struggles with a diffusion of responsibility and a lot that can be lost in translation; for many reasons besides technical ineptitude.
Ultimately there was too much punditry and not enough of a clinical postmortem for my taste. Of course I don't seem to hold the popular opinion here given that my comment got down-voted rather severely, which seems unjustified. Oh well.
In Australia, I’m yet to use a QR menu that doesn’t force me to provide my phone number. Why is my phone number necessary to order a bowl of chips? Ah, I see, Liven needs my phone number so they can sell it, according to their Privacy Policy. Mr Yum apparently doesn’t sell it, but still forces me to provide it anyway.